Beruflich Dokumente
Kultur Dokumente
business with the organization in multiple business lines or jurisdictions.3 Regardless of how
a consolidated BSA/AML compliance program is organized, it should reflect the
organization’s business structure, size, and complexity, and be designed to effectively
address risks, exposures, and applicable legal requirements across the organization.
A consolidated approach should also include the establishment of corporate standards for
BSA/AML compliance that reflect the expectations of the organization’s board of directors,
with senior management working to ensure that the BSA/AML compliance program
implements these corporate standards. Individual lines of business policies would then
supplement the corporate standards and address specific risks within the line of business or
department.
A consolidated BSA/AML compliance program typically includes a central point where
BSA/AML risks throughout the organization are aggregated. Refer to “Consolidated
BSA/AML Compliance Risk Assessment,” page 24. Under a consolidated approach, risk
should be assessed both within and across all business lines, legal entities, and jurisdictions
of operation. Programs for global organizations should incorporate the AML laws and
requirements of the various jurisdictions in which they operate. Internal audit should assess
the level of compliance with the consolidated BSA/AML compliance program.
Examiners should be aware that some complex, diversified banking organizations may have
various subsidiaries that hold different types of licenses and banking charters or may
organize business activities and BSA/AML compliance program components across their
legal entities. For instance, a highly diversified banking organization may establish or
maintain accounts using multiple legal entities that are examined by multiple regulators.
This action may be taken in order to maximize efficiencies, enhance tax benefits, adhere to
jurisdictional regulations, etc. This methodology may present a challenge to an examiner
reviewing BSA/AML compliance in a legal entity within an organization. As appropriate,
examiners should coordinate efforts with other regulatory agencies in order to address these
challenges or ensure the examination scope appropriately covers the legal entity examined.
3
For additional guidance, refer to the expanded overview section, “Foreign Branches and Offices of U.S.
Banks,” page 164, and the Basel Committee on Banking Supervision’s guidance Consolidated Know Your
Customer (KYC) Risk Management. .
responsibility should be clear with respect to the content and comprehensiveness of MIS
reports, the depth and frequency of monitoring efforts, and the role of different parties within
the banking organization (e.g., risk, business lines, operations) in BSA/AML compliance
decision-making processes. Clearly communicating which functions have been delegated
and which remain centralized helps to ensure consistent implementation of the BSA/AML
compliance program among lines of business, affiliates, and jurisdictions. In addition, a clear
line of responsibility may help to avoid conflicts of interest and ensure that objectivity is
maintained.
Regardless of the management structure or size of the institution, BSA/AML compliance
staff located within lines of business is not precluded from close interaction with the
management and staff of the various business lines. BSA/AML compliance functions are
often most effective when strong working relationships exist between compliance and
business line staff.
In some compliance structures, the compliance staff reports to the management of the
business line. This can occur in smaller institutions when the BSA/AML compliance staff
reports to a senior bank officer; in larger institutions when the compliance staff reports to a
line of business manager; or in a foreign banking organization’s U.S. operations when the
staff reports to a single office or executive. These situations can present risks of potential
conflicts of interest that could hinder effective BSA/AML compliance. To ensure the
strength of compliance controls, an appropriate level of BSA/AML compliance independence
should be maintained, for example, by:
Boards of directors.4 The board of directors is responsible for approving the BSA/AML
compliance program and for overseeing the structure and management of the bank’s
BSA/AML compliance function. The board is responsible for setting an appropriate culture
of BSA/AML compliance, establishing clear policies regarding the management of key
BSA/AML risks, and ensuring that these policies are adhered to in practice.
The board should ensure that senior management is fully capable, qualified, and properly
motivated to manage the BSA/AML compliance risks arising from the organization’s
business activities in a manner that is consistent with the board’s expectations. The board
should ensure that the BSA/AML compliance function has an appropriately prominent status
within the organization. Senior management within the BSA/AML compliance function and
senior compliance personnel within the individual business lines should have the appropriate
authority, independence, and access to personnel and information within the organization,
and appropriate resources to conduct their activities effectively. The board should ensure
that its views about the importance of BSA/AML compliance are understood and
communicated across all levels of the banking organization. The board also should ensure
that senior management has established appropriate incentives to integrate BSA/AML
compliance objectives into management goals and compensation structure across the
organization, and that corrective actions, including disciplinary measures, if appropriate, are
taken when serious BSA/AML compliance failures are identified.
Senior management. Senior management is responsible for communicating and reinforcing
the BSA/AML compliance culture established by the board, and implementing and enforcing
the board-approved BSA/AML compliance program. If the banking organization has a
separate BSA/AML compliance function, senior management of the function should
establish, support, and oversee the organization’s BSA/AML compliance program.
BSA/AML compliance staff should report to the board, or a committee thereof, on the
effectiveness of the BSA/AML compliance program and significant BSA/AML compliance
matters.
Senior management of a foreign banking organization’s U.S. operations should provide
sufficient information relating to the U.S. operations’ BSA/AML compliance to the
governance or control functions in its home country, and should ensure that responsible
senior management in the home country has an appropriate understanding of the BSA/AML
risk and control environment governing U.S. operations. U.S. management should assess the
effectiveness of established BSA/AML control mechanisms for U.S. operations on an
ongoing basis and report and escalate areas of concern as needed. As appropriate, corrective
action then should be developed, implemented and validated.
4
Foreign banking organizations should ensure that, with respect to their U.S. operations, the responsibilities of
the board described in this section are fulfilled in an appropriate manner through their oversight structure and
BSA/AML risk management framework.
5
12 CFR 225.4(f).
CFR 1023.320). In addition, savings and loan holding companies, if not required, are
strongly encouraged to file SARs in appropriate circumstances. On January 20, 2006, the
Financial Crimes Enforcement Network, Board of Governors of the Federal Reserve System,
Federal Deposit Insurance Corporation, Office of the Comptroller of the Currency, and the
Office of Thrift Supervision issued guidance authorizing banking organizations to share
SARs with head offices and controlling companies, whether located in the United States or
abroad. Refer to the core overview section, “Suspicious Activity Reporting,” page 60, for
additional information.
Examination Procedures
BSA/AML Compliance Program Structures
Objective. Assess the structure and management of the banking organization’s BSA/AML
compliance program, and, if applicable, the banking organization’s consolidated or partially
consolidated approach to BSA/AML compliance. A BSA/AML compliance program may be
structured in a variety of ways, and an examiner should perform procedures based on the
structure of the organization. Completion of these procedures may require communication
with other regulators.
1. Review the structure and management of the BSA/AML compliance program.
Communicate with peers at other federal and state banking agencies, as necessary, to
confirm their understanding of the organization’s BSA/AML compliance program. This
approach promotes consistent supervision and lessens regulatory burden for the banking
organization. Determine the extent to which the structure of the BSA/AML compliance
program affects the organization being examined, by considering:
• The extent to which the banking organization (or a corporate-level unit, such as audit
or compliance) performs regular independent testing of BSA/AML activities.
• The sufficiency of audit in jurisdictions with restrictive privacy laws that may limit
the dissemination of information.
• Examiner in charge.
• Person (or persons) responsible for ongoing supervision of the organization and
subsidiary banks, as appropriate.
• Corporate management.
6
Bank holding companies (BHC) or any nonbank subsidiary thereof, or a foreign bank that is subject to the
BHC Act or any nonbank subsidiary of such a foreign bank operating in the United States, are required to file
SARs (12 CFR 225.4(f)). A BHC’s nonbank subsidiaries operating only outside the United States are not
required to file SARs. Certain savings and loan holding companies, and their nondepository subsidiaries, are
required to file SARs pursuant to Treasury regulations (e.g., insurance companies (31 CFR 1025.320) and
broker/dealers (31 CFR 1023.320). In addition, savings and loan holding companies, if not required, are
strongly encouraged to file SARs in appropriate circumstances. On January 20, 2006, the Financial Crimes
Enforcement Network, Board of Governors of the Federal Reserve System, Federal Deposit Insurance
Corporation, Office of the Comptroller of the Currency, and the Office of Thrift Supervision issued guidance
authorizing banking organizations to share SARs with head offices and controlling companies, whether located
in the United States or abroad. Refer to the core overview section, “Suspicious Activity Reporting,” page 60,
for additional information.
Risk Factors
Examiners should understand the type of products and services offered at foreign branches
and offices, as well as the customers and geographic locations served at the foreign branches
and offices. Any service offered by the U.S. bank may be offered by the foreign branches
and offices if not prohibited by the host country. Such products and services offered at the
foreign branches and offices may have a different risk profile from that of the same product
or service offered in the U.S. bank (e.g., money services businesses are regulated in the
United States; however, similar entities in another country may not be regulated). Therefore,
the examiner should be aware that risks associated with foreign branches and offices may
differ (e.g., wholesale versus retail operations).
The examiner should understand the foreign jurisdiction’s various AML requirements.
Secrecy laws or their equivalent may affect the ability of the foreign branch or office to share
information with the U.S. parent bank, or the ability of the examiner to examine on-site.
While banking organizations with overseas branches or subsidiaries may find it necessary to
tailor monitoring approaches as a result of local privacy laws, the compliance oversight
mechanism should ensure it can effectively assess and monitor risks within such branches
and subsidiaries. Although specific BSA requirements are not applicable at foreign branches
and offices, banks are expected to have policies, procedures, and processes in place at all
their branches and offices to protect against risks of money laundering and terrorist
7
Foreign offices include affiliates and subsidiaries.
8
Edge and agreement corporations may be used to hold foreign investments (e.g., foreign portfolio investments,
joint ventures, or subsidiaries).
9
71 Fed. Reg. 13935.
10
For additional information, refer to Consolidated Know Your Customer (KYC) Risk Management, Basel
Committee on Banking Supervision, 2004.
financing. In this regard, foreign branches and offices should be guided by the U.S. bank’s
BSA/AML policies, procedures, and processes. The foreign branches and offices must
comply with applicable OFAC requirements and all local AML-related laws, rules, and
regulations.
Risk Mitigation
Branches and offices of U.S. banks located in higher-risk geographic locations may be
vulnerable to abuse by money launderers. To address this concern, the U.S. bank’s policies,
procedures, and processes for the foreign operation should be consistent with the following
recommendations:
• The U.S. bank’s head office and management at the foreign operation should understand
the effectiveness and quality of bank supervision in the host country and understand the
legal and regulatory requirements of the host country. The U.S. bank’s head office
should be aware of and understand any concerns that the host country supervisors may
have with respect to the foreign branch or office.
• The U.S. bank’s head office should understand the foreign branches’ or offices’ risk
profile (e.g., products, services, customers, and geographic locations).
• The U.S. bank’s head office and management should have access to sufficient
information in order to periodically monitor the activity of their foreign branches and
offices, including the offices’ and branches’ level of compliance with head office
policies, procedures, and processes. Some of this may be achieved through MIS reports.
• The U.S. bank’s head office should develop a system for testing and verifying the
integrity and effectiveness of internal controls at the foreign branches or offices by
conducting in-country audits. Senior management at the head office should obtain and
review copies, written in English, of audit reports and any other reports related to AML
and internal control evaluations.
• The U.S. bank’s head office should establish robust information-sharing practices
between branches and offices, particularly regarding higher-risk account relationships.
The bank should use the information to evaluate and understand account relationships
throughout the corporate structure (e.g., across borders or legal structures).
• The U.S. bank’s head office should be able to provide examiners with any information
deemed necessary to assess compliance with U.S. banking laws.
Foreign branch and office compliance and audit structures can vary substantially based on
the scope of operations (e.g., geographic locations) and the type of products, services, and
customers. Foreign branches and offices with multiple locations within a geographic region
(e.g., Europe, Asia, and South America) are frequently overseen by regional compliance and
audit staff. Regardless of the size or scope of operations, the compliance and audit staff and
audit programs should be sufficient to oversee the AML risks.
• The risk profile of the foreign branch or office and whether the profile is stable or
changing as a result of a reorganization, the introduction of new products or services, or
other factors, including the risk profile of the jurisdiction itself.
• The effectiveness and quality of bank supervision in the host country.
• Existence of an information-sharing arrangement between the host country and the U.S.
supervisor.
• The history of examination or audit concerns at the foreign branch or office.
• The size and complexity of the foreign branch’s or office’s operations.
• Effectiveness of internal controls, including systems for managing AML risks on a
consolidated basis and internal audit.
• The capability of management at the foreign branch or office to protect the entity from
money laundering or terrorist financing.
• The availability of the foreign branch or office records in the United States.
In some jurisdictions, financial secrecy and other laws may prevent or severely limit U.S.
examiners or U.S. head office staff from directly evaluating customer activity or records. In
cases when an on-site examination cannot be conducted effectively, examiners should
consult with appropriate agency personnel. In such cases, agency personnel may contact
foreign supervisors to make appropriate information sharing or examination arrangements.
In lower-risk situations when information is restricted, examiners may conduct U.S.-based
examinations (refer to discussion below). In higher-risk situations when adequate
examinations (on-site or otherwise) cannot be effected, the agency may require the head
office to take action to address the situation, which may include closing the foreign office.
U.S.-Based Examinations
U.S.-based, or off-site, examinations generally require greater confidence in the AML
program at the foreign branch or office, as well as the ability to access sufficient records.
Such off-site examinations should include discussions with senior bank management at the
head and foreign office. These discussions are crucial to the understanding of the foreign
branches’ or offices’ operations, AML risks, and AML programs. Also, the examination of
the foreign branch or office should include a review of the U.S. bank’s involvement in
managing or monitoring the foreign branch’s operations, internal control systems (e.g.,
policies, procedures, and monitoring reports), and, where available, the host country
supervisors’ examination findings, audit findings, and workpapers. As with all BSA/AML
examinations, the extent of transaction testing and activities where it is performed is based on
various factors including the examiner’s judgment of risks, controls, and the adequacy of the
independent testing.
Examination Procedures
Foreign Branches and Offices of U.S. Banks
Objective. Assess the adequacy of the U.S. bank’s systems to manage the risks associated
with its foreign branches and offices, and management’s ability to implement effective
monitoring and reporting systems.
1. Review the policies, procedures, and processes related to foreign branches and offices11
to evaluate their adequacy given the activity in relation to the bank’s risk, and assess
whether the controls are adequate to reasonably protect the bank from money laundering
and terrorist financing.
2. On the basis of a review of MIS and internal risk rating factors, determine whether the
U.S. bank’s head office effectively identifies and monitors foreign branches and offices,
particularly those conducting higher-risk transactions or located in higher-risk
jurisdictions.
3. Determine whether the U.S. bank’s head office system for monitoring foreign branches
and offices and detecting unusual or suspicious activities at those branches and offices is
adequate given the bank’s size, complexity, location, and types of customer relationships.
Determine whether the host country requires reporting of suspicious activities and, if
permitted and available, review those reports. Determine whether this information is
provided to the U.S. bank’s head office and filtered into a bank-wide or, if appropriate, a
firm-wide assessment of suspicious activities.
4. Review the bank’s tiering or organizational structure report, which should include a list
of all legal entities and the countries in which they are registered. Determine the
locations of foreign branches and offices, including the foreign regulatory environment
and the degree of access by U.S. regulators for on-site examinations and customer
records.
5. Review any partnering or outsourcing relationships of foreign branches and offices.
Determine whether the relationship is consistent with the bank’s AML program.
6. Determine the type of products, services, customers, entities, and geographic locations
served by the foreign branches and offices. Review the risk assessments of the foreign
branches and offices.
7. Review the management, compliance, and audit structure of the foreign branches and
offices. Identify the decisions that are made at the bank’s U.S. head office level versus
those that are made at the foreign branch or office.
8. Determine the involvement of the U.S. bank’s head office in managing and monitoring
foreign branches and offices. Conduct a preliminary evaluation of the foreign branches
or offices through discussions with senior management at the U.S. bank’s head office
(e.g., operations, customers, entities, jurisdictions, products, services, management
11
Foreign offices include affiliates and subsidiaries.
Transaction Testing
12. Make a determination whether transaction testing is feasible. If feasible on the basis of
the bank’s risk assessment of this activity and prior examination and audit reports, select
a sample of higher-risk foreign branch and office activity. Complete transaction testing
from appropriate expanded examination procedures sections (e.g., pouch activity).
13. On the basis of examination procedures completed, including transaction testing, form a
conclusion about the adequacy of policies, procedures, and processes associated with the
U.S. bank’s foreign branches and offices.
Risk Factors
Parallel banking organizations may have common management, share policies and
procedures, cross-sell products, or generally be linked to a foreign parallel financial
institution in a number of ways. The key money laundering concern regarding parallel
banking organizations is that the U.S. bank may be exposed to greater risk through
transactions with the foreign parallel financial institution. Transactions may be facilitated
and risks heightened because of the lack of arm’s-length dealing or reduced controls on
transactions between banks that are linked or closely associated. For example, officers or
directors may be common to both entities or may be different but nonetheless work
together.12
Risk Mitigation
The U.S. bank’s policies, procedures, and processes for parallel banking relationships should
be consistent with those for other foreign correspondent bank relationships. In addition,
parallel banks should:
12
For additional risks associated with parallel banking, refer to the Joint Agency Statement on Parallel-Owned
Banking Organizations issued by the Board of Governors of the Federal Reserve System, Federal Deposit
Insurance Corporation, Office of the Comptroller of the Currency, and Office of Thrift Supervision, April 23,
2002.
Examination Procedures
Parallel Banking
Objective. Assess the adequacy of the bank’s systems to manage the risks associated with
parallel banking relationships, and management’s ability to implement effective due
diligence, monitoring, and reporting systems.
1. Determine whether parallel banking relationships exist through discussions with
management or by reviewing inter-party activities involving the bank and another foreign
financial institution. Review the policies, procedures, and processes related to parallel
banking relationships. Evaluate the adequacy of the policies, procedures, and processes
given the bank’s parallel banking activities and the risks they present. Assess whether
the controls are adequate to reasonably protect the bank from money laundering and
terrorist financing.
2. Determine whether there are any conflicts of interest or differences in policies,
procedures, and processes between parallel bank relationships and other foreign
correspondent bank relationships. Particular consideration should be given to funds
transfer, pouch, and payable through activities because these activities are more
vulnerable to money laundering. If the bank engages in any of these activities, examiners
should consider completing applicable expanded examination procedures that address
each of these topics.
3. From a review of MIS and internal risk rating factors, determine whether the bank
effectively identifies and monitors parallel banking relationships, particularly those that
pose a higher-risk for money laundering.
4. Determine whether the bank’s system for monitoring parallel banking relationships for
suspicious activities, and for reporting suspicious activities, is adequate given the bank’s
size, complexity, location, and types of customer relationships.
5. If appropriate, refer to the core examination procedures, “Office of Foreign Assets
Control,” page 152, for guidance.
Transaction Testing
6. On the basis of the bank’s risk assessment of its parallel banking activities, as well as
prior examination and audit reports, select a sample of higher-risk activities from parallel
banking relationships (e.g., foreign correspondent banking, funds transfer, payable
through accounts, and pouch).
7. Consider the location of the foreign parallel financial institution. If the jurisdiction is
higher risk, examiners should review a larger sample of transactions between the two
institutions. Banks doing business with parallel foreign banking organizations in
countries not designated as higher risk may still require EDD, but that determination is
based on the size, nature, and type of the transactions between the institutions.
• Deposit accounts. Assets known as “due from bank deposits” or “correspondent bank
balances” may represent the bank’s primary operating account.
• Funds transfers. A transfer of funds between banks may result from the collection of
checks or other cash items, transfer and settlement of securities transactions, transfer of
participating loan funds, purchase or sale of federal funds, or processing of customer
transactions.
• Other services. Services include processing loan participations, facilitating secondary
market loan sales, performing data processing and payroll services, and exchanging
foreign currency.
Bankers’ Banks
A bankers’ bank, which is organized and chartered to do business with other banks, is
generally owned by the banks it services. Bankers’ banks, which do not conduct business
directly with the public, offer correspondent banking services to independent community
banks, thrifts, credit unions, and real estate investment trusts. Bankers’ banks provide
services directly, through outsourcing arrangements, or by sponsoring or endorsing third
parties. The products bankers’ banks offer normally consist of traditional correspondent
banking services. Bankers’ banks should have risk-based policies, procedures, and processes
to manage the BSA/AML risks involved in these correspondent relationships to detect and
report suspicious activities.
Generally, a bankers’ bank signs a service agreement with the respondent bank13 outlining
each party’s responsibilities. The service agreement may include the following:
13
A respondent bank is any bank for which another bank establishes, maintains, administers, or manages a
correspondent account relationship.
Risk Mitigation
Banks that offer correspondent bank services to respondent banks should have policies,
procedures, and processes to manage the BSA/AML risks involved in these correspondent
relationships and to detect and report suspicious activities. Banks should ascertain whether
domestic correspondent accounts are proprietary or allow third-party transactions. When the
respondent bank allows third-party customers to transact business through the correspondent
account, the correspondent bank should ensure that it understands the due diligence and
monitoring procedures applied by the respondent on its customers that utilize the account.
The level of risk varies depending on the services provided and the types of transactions
conducted through the account and the respondent bank’s BSA/AML compliance program,
products, services, customers, entities, and geographic locations. Each bank should
appropriately monitor transactions of domestic correspondent accounts relative to the level of
assessed risk. In addition, domestic banks are independently responsible for OFAC
compliance for any transactions that flow through their banks. Appropriate filtering should
be in place. Refer to core overview section and examination procedures, “Office of Foreign
Assets Control,” page 142 and 152, respectively.
Examination Procedures
Correspondent Accounts (Domestic)
Objective. Assess the adequacy of the bank’s systems to manage the risks associated with
offering domestic correspondent account relationships, and management’s ability to
implement effective monitoring and reporting systems.
1. Review the policies, procedures, and processes, and any bank service agreements related
to domestic correspondent banking relationships. Evaluate the adequacy of the policies,
procedures, and processes given the bank’s domestic correspondent accounts and the
risks they present. Assess whether the controls are adequate to reasonably protect the
bank from money laundering and terrorist financing.
2. From a review of MIS and internal risk rating factors, determine whether the bank has
identified any domestic correspondent banking activities as higher risk.
3. Determine whether the bank’s system for monitoring domestic correspondent accounts
for suspicious activities, and for reporting suspicious activities, is adequate given the
bank’s size, complexity, location, and types of customer relationships.
4. If appropriate, refer to the core examination procedures, “Office of Foreign Assets
Control,” page 152, for guidance.
Transaction Testing
5. On the basis of the bank’s review of respondent accounts14 with unusual or higher-risk
activity, its risk assessment, and prior examination and audit reports, select a sample of
respondent accounts. From the sample selected, perform the following examination
procedures:
14
A respondent bank is any bank for which another bank establishes, maintains, administers, or manages a
correspondent account relationship.
orders, or similar instruments drawn on other banks in amounts under $10,000. These
funds may possibly be transferred elsewhere in bulk amounts. Note whether the
instruments under $10,000 are sequentially numbered.
7. On the basis of examination procedures completed, including transaction testing, form a
conclusion about the adequacy of policies, procedures, and processes associated with
domestic correspondent bank relationships.
Contractual Agreements
Each relationship that a U.S. bank has with a foreign correspondent financial institution
should be governed by an agreement or a contract describing each party’s responsibilities and
other relationship details (e.g., products and services provided, acceptance of deposits,
clearing of items, forms of payment, and acceptable forms of endorsement). The agreement
or contract should also consider the foreign financial institution’s AML regulatory
requirements, customer base, due diligence procedures, and permitted third-party usage of
the correspondent account.
15
The term “foreign financial institution” as defined in 31 CFR 1010.605(f) generally includes:
• A foreign bank.
• A foreign branch or office of a U.S. bank, broker/dealer in securities, futures commission merchant,
introducing broker, or mutual fund.
• Any other person organized under foreign law that, if located in the United States, would be a
broker/dealer in securities, futures commission merchant, introducing broker, or mutual fund.
• Any person organized under foreign law that is engaged in the business of, and is readily identifiable as,
a currency dealer or exchanger or a money transmitter.
Risk Factors
Some foreign financial institutions are not subject to the same or similar regulatory
guidelines as U.S. banks; therefore, these foreign institutions may pose a higher money
laundering risk to their respective U.S. bank correspondent(s). Investigations have disclosed
that, in the past, foreign correspondent accounts have been used by drug traffickers and other
criminal elements to launder funds. Shell companies are sometimes used in the layering
process to hide the true ownership of accounts at foreign correspondent financial institutions.
Because of the large amount of funds, multiple transactions, and the U.S. bank’s potential
lack of familiarity with the foreign correspondent financial institution’s customer, criminals
and terrorists can more easily conceal the source and use of illicit funds. Consequently, each
U.S. bank, including all overseas branches, offices, and subsidiaries, should closely monitor
transactions related to foreign correspondent accounts.
Without adequate controls, a U.S. bank may also set up a traditional correspondent account
with a foreign financial institution and not be aware that the foreign financial institution is
permitting other financial institutions, or customers to conduct transactions anonymously
through the U.S. bank account (e.g., payable through accounts16 and nested accounts).
Nested Accounts
Nested accounts occur when a foreign financial institution gains access to the U.S. financial
system by operating through a U.S. correspondent account belonging to another foreign
financial institution. If the U.S. bank is unaware that its foreign correspondent financial
institution customer is providing such access to third-party foreign financial institutions,
these third-party financial institutions can effectively gain anonymous access to the U.S.
financial system. Unacceptable nested activity and other activity of concern may be
characterized by transactions to jurisdictions in which the foreign financial institution has no
known business activities or interests and transactions in which the total volume and
frequency significantly exceeds expected activity for the foreign financial institution,
considering its customer base or asset size. U.S. banks should also focus on nested account
transactions with any entities the bank has designated as higher risk.
Risk Mitigation
U.S. banks that offer foreign correspondent financial institution services should have
policies, procedures, and processes to manage the BSA/AML risks inherent with these
relationships and should closely monitor transactions related to these accounts to detect and
report suspicious activities. The level of risk varies depending on the foreign financial
institution’s strategic profile, including its size and geographic locations, the products and
services it offers, and the markets and customers it serves. The Clearing House Association,
LLC., and The Wolfsberg Group have published suggested industry standards and guidance
for banks that provide foreign correspondent banking services.17 When dealing with foreign
correspondent account relationships, it is important for the bank to keep in mind regulatory
requirements related to special measures issued under 311 of the USA PATRIOT Act
16
Refer to the expanded overview section, “Payable Through Accounts,” page 194, for additional information.
17
Refer to Guidelines for Counter Money Laundering Policies and Procedures in Correspondent Banking and
the Wolfsberg AML Principles for Correspondent Banking.
contained in the expanded overview section, “Special Measures” page 133. Additional
information relating to risk assessments and due diligence is contained in the core overview
section, “Foreign Correspondent Account Recordkeeping, Reporting, and Due Diligence,”
page 111.
The U.S. bank’s policies, procedures, and processes should:
• Ensure that appropriate due diligence standards are applied to those accounts determined
to be higher risk.
• Ensure that foreign correspondent financial institution relationships are appropriately
included within the U.S. bank’s suspicious activity monitoring and reporting systems.
• Follow up on account activity and transactions that do not fit the foreign financial
institution customer’s strategic profile (i.e., transactions involving customers, industries
or products that are not generally part of that foreign financial institution’s customer base
or market).
also have an understanding of the effectiveness of the AML regime of the foreign
jurisdictions in which their foreign correspondent banking customers operate.
Examination Procedures
Correspondent Accounts (Foreign)
Objective. Assess the adequacy of the U.S. bank’s systems to manage the risks associated
with foreign correspondent banking and management’s ability to implement effective due
diligence, monitoring, and reporting systems. This section expands the earlier core review of
statutory and regulatory requirements of foreign correspondent account relationships in
order to provide a broader assessment of the AML risks associated with this activity.
1. Review the policies, procedures, and processes related to foreign correspondent financial
institution account relationships. Evaluate the adequacy of the policies, procedures, and
processes. Assess whether the controls are adequate to reasonably protect the U.S. bank
from money laundering and terrorist financing.
2. From a review of MIS and internal risk-rating factors, determine whether the U.S. bank
effectively identifies and monitors foreign correspondent financial institution account
relationships, particularly those that pose a higher risk for money laundering.
3. If the U.S. bank has a standardized foreign correspondent agreement, review a sample
agreement to determine whether each party’s responsibilities, products, and services
provided, and allowable third party usage of the correspondent account, are covered
under the contractual arrangement. If the U.S. bank does not have a standardized
agreement, refer to the transaction testing examination procedures.
4. Determine whether the U.S. bank’s system for monitoring foreign correspondent
financial institution account relationships for suspicious activities, and for reporting
suspicious activities, is adequate given the U.S. bank’s size, complexity, location, and
types of customer relationships.
5. If appropriate, refer to the core examination procedures, “Office of Foreign Assets
Control,” page 152, for guidance.
Transaction Testing
6. On the basis of the U.S. bank’s risk assessment of its foreign correspondent activities, as
well as prior examination and audit reports, select a sample of higher-risk foreign
correspondent financial institution account relationships. The higher-risk sample should
include relationships with foreign financial institutions located in jurisdictions that do not
cooperate with international AML efforts and in other jurisdictions that the U.S. bank has
determined pose a higher risk. From the sample selected, perform the following
examination procedures:
• Determine whether actual activity is consistent with the nature of the customer’s
business. Identify any unusual or suspicious activity.
• Review large or unusual transactions to determine their nature. As necessary, obtain
and review copies of credit or debit advices, general ledger tickets, and other
supporting documentation.
• Analyze transactions to identify behavior indicative of nested accounts, intermediary
or clearing agent services, or other services for third-party foreign financial
institutions that have not been clearly identified.
7. On the basis of examination procedures completed, including transaction testing, form a
conclusion about the adequacy of policies, procedures, and processes associated with
foreign correspondent financial institution relationships.
18
31 CFR 1010.100(k) defines “common carrier” as any person engaged in the business of transporting
individuals or goods for a fee who holds itself out as ready to engage in such transportation for hire and who
undertakes to do so indiscriminately for all persons who are prepared to pay the fee for the particular service
offered. This section addresses a subgroup of common carriers, those persons engaged as a business in the
transportation of currency, other monetary instruments, or commercial papers, referred to herein as “common
carriers of currency.” An armored car service is a type of this subgroup of common carriers.
19
Refer to CMIR guidance for common carriers of currency, including armored car services, FIN-2014-G002,
August 1, 2014.
intermediaries that ship currency gathered from other shippers, who in turn are gathering
currency from their customers who are currency originators. Intermediaries may be other
banks, central banks, nondeposit financial institutions, or agents of these entities.
Banks receive bulk shipments of currency directly when they take possession of an actual
shipment. Banks receive bulk shipments of currency indirectly when they take possession of
the economic equivalent of a currency shipment, such as through a cash letter notification or
deposit into the bank’s account at the Federal Reserve. In the case of a shipment received
indirectly, the actual shipment usually moves toward the bank only as far as a Federal
Reserve Bank or branch, where the value of the currency becomes recorded as held on the
bank’s behalf. Whether the shipment to or from the bank is direct or indirect, banks are
required to report the receipt or disbursement of currency in excess of $10,000 via a
Currency Transaction Report (CTR) (31 CFR 1010.311) subject to the exemptions at 31 CFR
1020.315. Note that most categories of CTR exempt persons apply only to the extent of the
exempt person’s domestic operations, 31 CFR 1020.315(b)(1-7). For more information on
CTRs refer to the Currency Transaction Reporting Overview on page 81.
Risk Factors
Bulk shipments of currency to banks from shippers that are presumed to be reputable may
nevertheless originate from illicit activity. The monetary proceeds of criminal activities, for
example, often reappear in the financial system as seemingly legitimate funds that have been
placed and finally integrated by flowing through numerous intermediaries and layered
transactions that disguise the origin of the funds. Layering can include shipments to or
through other jurisdictions. Accordingly, banks that receive direct or indirect bulk shipments
of currency risk becoming complicit in money laundering or terrorist financing schemes.
In recent years, the smuggling of bulk currency has become a preferred method for moving
illicit funds across borders.20 Because bulk cash that is smuggled out of the United States is
usually denominated in U.S. dollars, those who receive the smuggled bulk cash must find
20
Refer to U.S. Money Laundering Threat Assessment (December 2005) on page 33. Congress criminalized
the act of smuggling large amounts of cash as part of the USA PATRIOT Act. Specifically, 31 USC 5332-Bulk
Cash Smuggling makes it a crime to smuggle or attempt to smuggle over $10,000 in currency or other monetary
instruments into or out of the United States, with the specific intent to evade the U.S. currency-reporting
requirements codified in 31 USC 5316.
ways to re-integrate the currency into the global banking system. Often, this occurs through
the use of a foreign financial institution, many times a money services business , that
wittingly or unwittingly receives the illicit U.S.-dollar denominated proceeds, and then
originates a cash letter instrument (or a funds transfer) for processing by, or deposit into, a
U.S. bank. The foreign financial institution then initiates the process of physically
repatriating (shipping) the cash back into the United States.21 Experience has shown a direct
correlation between the smuggling of bulk currency, the heightened use of wire transfers,
remote deposit capture (RDC) transactions or cash letter instruments from certain foreign
financial institutions and/or jurisdictions, and bulk shipments of currency into the United
States from the same foreign financial institutions or jurisdictions.22
The activity of shipping currency in bulk is not necessarily indicative of criminal or terrorist
activity. Many individuals and businesses, both domestic and foreign, generate currency
from legitimate cash sales of commodities or other products or services or certain industries
such as tourism or commerce. Also, intermediaries gather and ship currency from single or
multiple currency originators whose activities are legitimate. Banks may legitimately offer
services to receive such shipments. However, banks should be aware of the potential misuse
of their services by shippers of bulk currency. Banks should also guard against introducing
the monetary proceeds of criminal or terrorist activity into the financial system. Banks
should have a clear understanding of the appropriate volumes of currency shipments that are
commensurate with the currency originator’s or shipper’s profile (size, location, strategic
focus, customer base, geographic footprint) and the economic activity that generates the cash.
To inform banks on the topic of bulk currency shipments, FinCEN has issued a number of
advisories that set forth certain activities that may be associated with currency smuggling.23
According to FinCEN, U.S. law enforcement has observed a dramatic increase in the
smuggling of bulk cash proceeds from the sale of narcotics and other criminal activities from
the United States into Mexico. Although the FinCEN advisories deal specifically with the
shipment of bulk currency to and from the United States and Mexico, the issues discussed
could be pertinent to shipping bulk currency to and from other jurisdictions as well. Banks
should look at each situation on a case by case basis.
Law enforcement has identified the following activities that, in various combinations, may be
associated with currency smuggling:24
21
In certain cases, the foreign financial institution will ship the cash to its central bank or a money center bank
in the foreign country in which the cash letter instrument originated. Sometimes numerous layered transactions
are used to disguise the origins of the cash, after which the currency may be returned directly to the United
States or further shipped to or through other jurisdictions. The cash will be repatriated back to the United States
for the account of the U.S. bank in which the cash letter instrument was processed or funds transfer deposit was
made.
22
For an example of these types of transactions, refer to National Drug Intelligence Center’s National Drug
Threat Assessment 2008, Illicit Finance (December 2007).
23
Refer to FinCEN’s Website for advisories on the shipment of bulk currency to and from the United States.
24
Id.
• An increase in the sale of large denomination U.S. bank notes to foreign financial
institutions by U.S. banks.
• Small denomination U.S. bank notes smuggled into a foreign country being exchanged
for large denomination U.S. bank notes possessed by foreign financial institutions.
• Large volumes of small denomination U.S. bank notes being sent from foreign nonbank
financial institutions to their accounts in the United States via armored transport, or sold
directly to U.S. banks.
• Multiple wire transfers initiated by foreign nonbank financial institutions that direct U.S.
banks to remit funds to other jurisdictions that bear no apparent business relationship
with that foreign nonbank financial institution (recipients include individuals, businesses,
and other entities in free trade zones and other locations).
• The exchange of small denomination U.S. bank notes for large denomination U.S. bank
notes that may be sent to foreign countries.
• Deposits by foreign nonbank financial institutions to their accounts at U.S. banks that
include third-party items (including sequentially numbered monetary instruments).
• Deposits of currency and third-party items by foreign nonbank financial institutions into
their accounts at foreign financial institutions and thereafter direct wire transfers to the
foreign nonbank financial institution’s accounts at U.S. banks.
• Structuring of currency deposits into an account in one geographic area, with the funds
subsequently withdrawn in a different geographic region with little time elapsing between
deposit and withdrawal. This is usually known as “funnel account” or “interstate cash”
activity.
Risk Mitigation
U.S. banks that offer services to receive bulk shipments of currency should have policies,
procedures, and processes in place that mitigate and manage the BSA/AML risks associated
with the receipt of bulk currency shipments. Banks should also closely monitor bulk
currency shipment transactions to detect and report suspicious activity, with particular
emphasis on the source of funds and the reasonableness of transaction volumes from
currency originators and intermediaries.
Risk mitigation begins with an effective risk assessment process that distinguishes
relationships and transactions that present a higher risk of money laundering or terrorist
financing. Risk assessment processes should consider currency originator and intermediary
ownership, geographies, economic factors and the nature, source, location, and control of
bulk currency. For additional information relating to risk assessments and due diligence,
refer to the core overview sections “BSA/AML Risk Assessment” on page 18 and “Customer
Due Diligence” on page 56.
A U.S. bank’s policies, procedures, and processes should:
and intermediaries; specify relationship approval process that, for potential higher-risk
relationships, is independent of the business line and may include a visit to the
prospective shipper or shipping-preparation sites; and describe the circumstances under
which the bank does not open a relationship.
• Determine the intended use of the relationship, the expected volumes, frequency of
activity arising from transactions, sources of funds, reasonableness of volumes based on
originators and shippers (e.g., based on size, location, strategic focus, customer base,
geographic footprint), economic and regulatory conditions that may affect currency
circulation and any required BSA reporting obligations (CTRs, CMIRs, etc.).
• Identify the characteristics of acceptable and unacceptable transactions, including
circumstances when the bank does or does not accept bulk currency shipments.
• Assess the risks posed by a prospective shipping relationship using consistent, well-
documented risk-rating methodologies.
• Incorporate risk assessments, as appropriate, into the bank’s customer due diligence,
EDD, and suspicious activity monitoring systems.
• Require adequate and ongoing due diligence once the relationship is established, which,
as appropriate, may include periodic visits to the shipper and to shipping-preparation
sites. As necessary, scrutinize the root source of cash shipments for reasonableness and
legitimacy using risk-based processes.
• Ensure that appropriate due diligence standards are applied to relationships determined to
be higher risk.
• Include procedures for processing shipments, including employee responsibilities,
controls, reconciliation and documentation requirements, and employee/management
authorizations.
• Establish a process for escalating suspicious information on potential and existing
currency originator and intermediary relationships and transactions to an appropriate
management level for review.
• Refuse shipments having questionable or suspicious origins.
• Ensure that shipping relationships and comparisons of expected vs. actual shipping
volumes are included, as appropriate, within the U.S. bank’s systems for monitoring and
reporting suspicious activity.
• Establish criteria for terminating a shipping relationship.
• Ensure that shipments involving the foreign correspondent relationships are covered by
the bank’s due diligence program for correspondent accounts for foreign financial
institutions.25
As a sound practice, U.S. banks should inform currency originators, shippers, and
intermediaries of the BSA/AML-related requirements and expectations that apply to U.S.
25
31 CFR 1010.610.
banks. U.S. banks also should understand the BSA/AML controls that apply to, or are
otherwise adopted by, the currency originator, shipper, or intermediary, including any
customer due diligence and recordkeeping requirements or practices.
Other bank controls may also prove useful in protecting banks against illicit bulk shipments
of currency. These may include effective controls over foreign correspondent banking
activity, pouch activity, funds transfers, international Automated Clearing House
transactions, and remote deposit capture.
Contractual Agreements
U.S. banks should establish agreements or contracts with currency originators, shippers,
intermediaries, and/or established common carriers such as the ones that are allowed to
deliver directly to the bank’s vault.26 The agreement or contract should describe each party’s
responsibilities and other relevant details of the relationship. The agreement or contract
should reflect and be consistent with any BSA/AML considerations that apply to the bank,
the common carrier, currency originator or intermediary, and their customers. The
agreement or contract should also address expectations about due diligence and permitted
use of the shipper’s services by third parties. While agreements and contracts should also
provide for respective BSA/AML controls, obligations, and considerations, U.S. banks
cannot shift their BSA/AML responsibilities to others.
26
For additional details, refer to Treatment of Armored Car Service Transactions Conducted on Behalf of
Financial Institution Customers or Third Parties for Currency Transaction Report Purposes FIN-2013-R001,
July 12, 2013.
Examination Procedures
Bulk Shipments of Currency
Objective. Assess the adequacy of the U.S. bank’s systems to manage the risks associated
with receiving and sending bulk shipments of currency, and management’s ability to
implement effective due diligence, monitoring, and reporting systems.
1. Determine whether the bank receives or distributes shipments of bulk currency.
2. Review the policies, procedures, and processes related to receiving shipments of bulk
currency for adequacy, given the activity and the risks presented.
3. Review the list of currency originators, shippers, and intermediaries that send bulk
currency shipments to the bank.
4. Determine whether management has assessed the risks associated with receiving bulk
currency shipments from particular currency originators, shippers, and intermediaries.
Consider the source of the currency originator, shipper, or intermediary’s currency and
the reasonableness of transaction volumes. Assess the adequacy of the risk-assessment
methodology.
5. From a review of MIS and internal risk-rating factors, determine whether the bank
effectively identifies and monitors relationships with currency originators and
intermediaries, particularly those that pose a higher risk for money laundering or terrorist
financing.
6. If the bank has a standardized agreement or contract with currency originators, shippers,
intermediaries, and/or established common carriers, review a sample agreement or
contract to determine whether each party’s responsibilities, products, and services
provided, and allowable usage of the relationship by third-parties , including the parties’
BSA/AML responsibilities, are covered. If the bank does not have a standardized
agreement or contract, refer to the transaction testing examination procedures below.
7. Determine whether the bank files required BSA reports (e.g., CTRs or CMIRs), if
applicable.
8. Determine whether the bank’s system for monitoring and reporting suspicious activities
related to shipping relationships and transactions is adequate given the bank’s size,
complexity, location, and types of customer relationships.
9. Determine whether the bank is monitoring for expected versus actual shipping volumes
and taking action in response to unusual or inordinate increase in volumes or patterns.
Transaction Testing
10. Based on the bank’s risk assessment of its relationships with currency originators,
shippers, and intermediaries, as well as prior examination and audit reports, select a
sample of currency originators, shippers, or intermediaries and recent bulk currency
shipments. The sample should include relationships with currency originators, shippers,
and intermediaries located in or shipping from, jurisdictions that may pose a higher risk
for money laundering and terrorist financing, or that participate in businesses that may
pose a higher risk for money laundering and terrorist financing.
11. Preferably on an unannounced basis and over a period of several days, observe the
process for accepting shipments of bulk currency. Review the records and the shipments
for irregularities. From the samples selected, perform the following examination
procedures:
• Review for completeness a relationship agreement or contract that delineates each
party’s responsibilities and the products and services provided.
• Review U.S. bank statements of accounts and, as necessary, specific transaction
details.
• Review vault control records for bulk currency shipment transactions (in and out) to
identify large denomination activity as a result of small denomination exchanges.
• Assess the reasonableness of customer due diligence and EDD information pertaining
to the sampled currency originators, shippers, and intermediaries.
• Determine whether the nature, volume, and frequency of activity are consistent with
the expectations associated with the currency originator, shipper, and intermediary.
Discuss any inconsistencies identified with bank management. As necessary, obtain
and review copies of credit or debit advices, general ledger tickets, and other
supporting documentation.
• Review unusual transactions and customer due diligence information to determine if
transactions are potentially suspicious.
• Discuss preliminary findings and conclusions with bank management.
12. If the currency originator, shipper, or intermediary, or the referral agent who works for
the currency originator, shipper, or intermediary has an account with the bank, review a
sample of account activity.
13. Based on the examination procedures completed, including transaction testing, form a
conclusion about the adequacy of policies, procedures, and processes associated with the
bulk shipment of currency.
Risk Factors
The majority of U.S dollar drafts are legitimate; however, drafts have proven to be vulnerable
to money laundering abuse. Such schemes involving U.S. dollar drafts could involve the
smuggling of U.S. currency to a foreign financial institution for the purchase of a check or
draft denominated in U.S. dollars. The foreign financial institution accepts the U.S. currency
and issues a U.S. dollar draft drawn against its U.S. correspondent bank account. Once the
currency is in bank draft form, the money launderer can more easily conceal the source of
funds. The ability to convert illicit proceeds to a bank draft at a foreign financial institution
makes it easier for a money launderer to transport the instrument either back into the United
States or to endorse it to a third party in a jurisdiction where money laundering laws or
compliance are lax. In any case, the individual has laundered illicit proceeds; ultimately, the
draft or check is returned for processing at the U.S. correspondent bank.
Risk Mitigation
A U.S. bank’s policies, procedures, and processes should include the following:
• Outline criteria for opening a U.S. dollar draft relationship with a foreign financial
institution or entity (e.g., jurisdiction; products, services, target market; purpose of
account and anticipated activity; or customer history).
• Detail acceptable and unacceptable transactions (e.g., structuring transactions or the
purchase of multiple sequentially numbered drafts for the same payee).
• Detail the monitoring and reporting of suspicious activity associated with U.S. dollar
drafts.
• Discuss criteria for closing U.S. dollar draft relationships.
Examination Procedures
U.S. Dollar Drafts
Objective. Assess the adequacy of the bank’s systems to manage the risks associated with
U.S. dollar drafts, and management’s ability to implement effective monitoring and reporting
systems.
1. Review the policies, procedures, and processes related to U.S. dollar drafts. Evaluate the
adequacy of the policies, procedures, and processes given the bank’s U.S. dollar draft
activities and the risks they present. Assess whether the controls are adequate to
reasonably protect the bank from money laundering and terrorist financing. Determine
whether policies address the following:
• Criteria for allowing a foreign financial institution or entity to issue the U.S. bank’s
dollar drafts (e.g., jurisdiction; products, services, and target markets; purpose of
account and anticipated activity; customer history; and other available information).
• Identification of unusual transactions (e.g., structuring transactions or the purchase of
multiple sequentially numbered U.S. dollar drafts to the same payee).
• Criteria for ceasing U.S. dollar draft issuance through a foreign financial institution or
entity.
2. From a review of MIS and internal risk rating factors, determine whether the bank
effectively identifies and monitors higher-risk U.S. dollar draft accounts.
3. Determine whether the bank’s system for monitoring U.S. dollar draft accounts for
suspicious activities, and for reporting suspicious activities, is adequate given the bank’s
size, complexity, location, and types of customer relationships.
4. Obtain a list of foreign bank correspondent accounts in which U.S. dollar drafts are
offered. Review the volume, by number and dollar amount, of monthly transactions for
each account. Determine whether management has appropriately assessed risk.
Transaction Testing
5. On the basis of the bank’s risk assessment of its U.S. dollar draft activities, as well as
prior examination and audit reports, select a sample of foreign correspondent bank
accounts in which U.S. dollar drafts are processed. In the sample selected, include
accounts with a high volume of U.S. dollar draft activity. From the sample selected,
perform the following examination procedures:
• Review transactions for sequentially numbered U.S. dollar drafts to the same payee or
from the same remitter. Research any unusual or suspicious U.S. dollar draft
transactions.
• Review the bank’s contracts and agreements with foreign correspondent banks.
Determine whether contracts address procedures for processing and clearing U.S.
dollar drafts.
• Verify that the bank has obtained and reviewed information about the foreign
financial institution’s home country AML regulatory requirements (e.g., customer
identification and suspicious activity reporting).
6. On the basis of examination procedures completed, including transaction testing, form a
conclusion about the adequacy of policies, procedures, and processes associated with
U.S. dollar drafts.
Risk Factors
PTAs may be prone to higher risk because U.S. banks do not typically implement the same
due diligence requirements for PTAs that they require of domestic customers who want to
open checking and other accounts. For example, some U.S. banks merely request a copy of
signature cards completed by the payable through customers (the customer of the foreign
financial institution). These U.S. banks then process thousands of subaccountholder checks
and other transactions, including currency deposits, through the foreign financial institution’s
PTA. In most cases, little or no independent effort is expended to obtain or confirm
information about the individual and business subaccountholders that use the PTAs.
Foreign financial institutions’ use of PTAs, coupled with inadequate oversight by U.S. banks,
may facilitate unsound banking practices, including money laundering and related criminal
27
In this type of relationship, the foreign financial institution is commonly referred to as the “master
accountholder.”
activities. The potential for facilitating money laundering or terrorist financing, OFAC
violations, and other serious crimes increases when a U.S. bank is unable to identify and
adequately understand the transactions of the ultimate users (all or most of whom are outside
of the United States) of its account with a foreign correspondent. PTAs used for illegal
purposes can cause banks serious financial losses in criminal and civil fines and penalties,
seizure or forfeiture of collateral, and reputation damage.
Risk Mitigation
U.S. banks offering PTA services should develop and maintain adequate policies,
procedures, and processes to guard against possible illicit use of these accounts. At a
minimum, policies, procedures, and processes should enable each U.S. bank to identify the
ultimate users of its foreign financial institution PTA and should include the bank’s obtaining
(or having the ability to obtain through a trusted third-party arrangement) substantially the
same information on the ultimate PTA users as it obtains on its direct customers.
Policies, procedures, and processes should include a review of the foreign financial
institution’s processes for identifying and monitoring the transactions of subaccountholders
and for complying with any AML statutory and regulatory requirements existing in the host
country and the foreign financial institution’s master agreement with the U.S. bank. In
addition, U.S. banks should have procedures for monitoring transactions conducted in foreign
financial institutions’ PTAs.
In an effort to address the risk inherent in PTAs, U.S. banks should have a signed contract
(i.e., master agreement) that includes:
28
It is possible for a subaccount to be subdivided into further subaccounts for separate persons.
Examination Procedures
Payable Through Accounts
Objective. Assess the adequacy of the bank’s systems to manage the risks associated with
payable through accounts (PTA), and management’s ability to implement effective
monitoring and reporting systems.
1. Review the policies, procedures, and processes related to PTAs. Evaluate the adequacy
of the policies, procedures, and processes given the bank’s PTA activities and the risks
they present. Assess whether the controls are adequate to reasonably protect the bank
from money laundering and terrorist financing. Determine whether:
• Criteria for opening PTA relationships with a foreign financial institution are
adequate. Examples of factors that may be used include: jurisdiction; bank secrecy or
money laundering haven; products, services, and markets; purpose; anticipated
activity; customer history; ownership; senior management; certificate of
incorporation; banking license; certificate of good standing; and demonstration of the
foreign financial institution’s operational capability to monitor account activity.
• Appropriate information has been obtained and validated from the foreign financial
institution concerning the identity of any persons having authority to direct
transactions through the PTA.
• Information and EDD have been obtained from the foreign financial institution
concerning the source and beneficial ownership of funds of persons who have
authority to direct transactions through the PTA (e.g., name, address, expected
activity level, place of employment, description of business, related accounts,
identification of foreign politically exposed persons, source of funds, and articles of
incorporation).
• Subaccounts are not opened before the U.S. bank has reviewed and approved the
customer information.
• Master or subaccounts can be closed if the information provided to the bank has been
materially inaccurate or incomplete.
• The bank can identify all signers on each subaccount.
2. From a review of MIS and internal risk rating factors, determine whether the bank
effectively identifies and monitors PTAs.
3. Determine whether the bank’s system for monitoring PTAs for suspicious activities, and
reporting suspicious activities, is adequate given the bank’s size, complexity, location,
and types of customer relationships.
4. To assess the volume of risk and determine whether adequate resources are allocated to
the oversight and monitoring activity, obtain a list of foreign correspondent bank
accounts in which PTAs are offered and request MIS reports that show:
• The volume and dollar amount of monthly transactions for each subaccount.
5. Verify that the bank has obtained and reviewed information concerning the foreign
financial institution’s home country AML regulatory requirements (e.g., customer
identification requirements and suspicious activity reporting) and considered these
requirements when reviewing PTAs. Determine whether the bank has ensured that
subaccount agreements comply with any AML statutory and regulatory requirements
existing in the foreign financial institution’s home country.
6. If appropriate, refer to the core examination procedures, “Office of Foreign Assets
Control,” page 152, for guidance.
Transaction Testing
7. On the basis of the bank’s risk assessment of its PTA activities, as well as prior
examination and audit reports, select a sample of PTAs. From the sample, review the
contracts or agreements with the foreign financial institution. Determine whether the
contracts or agreements:
• Clearly outline the contractual responsibilities of both the U.S. bank and the foreign
financial institution.
• Define PTA and subaccount opening procedures and require an independent review
and approval process when opening the account.
• Require the foreign financial institution to comply with its local AML requirements.
• Restrict subaccounts from being opened by casas de cambio, finance companies,
funds remitters, or other nonbank financial institutions.
• Prohibit multi-tier subaccountholders.
• Provide for proper controls over currency deposits and withdrawals by
subaccountholders and ensure that CTRs have been appropriately filed.
• Provide for dollar limits on each subaccountholder’s transactions that are consistent
with expected account activity.
• Contain documentation requirements that are consistent with those used for opening
domestic accounts at the U.S. bank.
• Provide the U.S. bank with the ability to review information concerning the identity
of subaccountholders (e.g., directly or through a trusted third party).
• Require the foreign financial institution to monitor subaccount activities for unusual
or suspicious activity and report findings to the U.S. bank.
• Allow the U.S. bank, as permitted by local laws, to audit the foreign financial
institution’s PTA operations and to access PTA documents.
8. Review PTA master-account bank statements. (The examiner should determine the time
period based upon the size and complexity of the bank.) The statements chosen should
include frequent transactions and those of large dollar amounts. Verify the statements to
the general ledger and bank reconcilements. Note any currency shipments or deposits
made at the U.S. bank on behalf of an individual subaccountholder for credit to the
customer’s subaccount.
9. From the sample selected, review each subaccountholder’s identifying information and
related transactions for a period of time as determined by the examiner. Evaluate PTA
subaccountholders’ transactions. Determine whether the transactions are consistent with
expected transactions or warrant further research. (The sample should include
subaccountholders with significant dollar activity.)
10. On the basis of examination procedures completed, including transaction testing, form a
conclusion about the adequacy of policies, procedures, and processes associated with
PTAs.
Risk Factors
Banks should be aware that bulk amounts of monetary instruments purchased in the United
States that appear to have been structured to avoid the BSA-reporting requirements often
have been found in pouches or cash letters received from foreign financial institutions. This
is especially true in the case of pouches and cash letters received from jurisdictions with lax
or deficient AML structures. The monetary instruments involved are frequently money
orders, traveler’s checks, and bank checks that usually have one or more of the following
characteristics in common:
• The instruments were purchased on the same or consecutive days at different locations.
• They are numbered consecutively in amounts just under $3,000 or $10,000.
• The payee lines are left blank or made out to the same person (or to only a few people).
• They contain little or no purchaser information.
• They bear the same stamp, symbol, or initials.
• They are purchased in round denominations or repetitive amounts.
• The depositing of the instruments is followed soon after by a funds transfer out in the
same dollar amount.
Risk Mitigation
Banks should have policies, procedures, and processes related to pouch activity that should:
29
Referral agents are foreign individuals or corporations, contractually obligated to the U.S. bank. They
provide representative-type services to the bank’s clients abroad for a fee. Services can range from referring
new customers to the bank, to special mail handling, obtaining and pouching documents, distributing the bank’s
brochures and applications or forms, notarizing documents for customers, and mailing customers’ funds to the
bank in the United States for deposit.
For additional guidance, refer to the core overview section, “International Transportation of Currency or
30
• Outline criteria for opening a pouch relationship with an individual or a foreign financial
institution (e.g., customer due diligence requirements, type of institution or person,
acceptable purpose of the relationship).
• Detail acceptable and unacceptable transactions (e.g., monetary instruments with blank
payees, unsigned monetary instruments, and a large number of consecutively numbered
monetary instruments).
• Detail procedures for processing the pouch, including employee responsibilities, dual
control, reconciliation and documentation requirements, and employee sign off.
• Detail procedures for reviewing for unusual or suspicious activity, including elevating
concerns to management. (Contents of pouches may be subject to CTR, Report of
International Transportation of Currency or Monetary Instruments (CMIR), and SAR
reporting requirements.)
• Discuss criteria for closing pouch relationships.
The above factors should be included within an agreement or contract between the bank and
the courier that details the services to be provided and the responsibilities of both parties.
Examination Procedures
Pouch Activities
Objective. Assess the adequacy of the bank’s systems to manage the risks associated with
pouch activities, and management’s ability to implement effective monitoring and reporting
systems.
1. Determine whether the bank has incoming or outgoing pouch activity and whether the
activity is via carrier or courier.
2. Review the policies, procedures, and processes, and any contractual agreements related to
pouch activities. Evaluate the adequacy of the policies, procedures, and processes given
the bank’s pouch activities and the risks they present. Assess whether the controls are
adequate to reasonably protect the bank from money laundering and terrorist financing.
3. From a review of MIS and internal risk rating factors, determine whether the bank
effectively identifies and monitors pouch activities.
4. Determine whether the bank’s system for monitoring pouch activities for suspicious
activities, and for reporting suspicious activities, is adequate given the bank’s size,
complexity, location, and types of customer relationships.
5. Review the list of bank customers permitted to use pouch services (incoming and
outgoing). Determine whether management has assessed the risk of the customers
permitted to use this service.
6. If appropriate, refer to the core examination procedures, “Office of Foreign Assets
Control,” page 152, for guidance.
Transaction Testing
7. On the basis of the bank’s risk assessment of its pouch activities, as well as prior
examination and audit reports, and recent activity records, select a sample of daily
pouches for review. Preferably on an unannounced basis and over a period of several
days, not necessarily consecutive, observe the pouch opening and the data capture
process for items contained in a sample of incoming pouches, and observe the preparation
of outgoing pouches. Review the records and the pouch contents for currency, monetary
instruments,31 bearer securities, prepaid cards, gems, art, illegal substances or contraband,
or other items that should not ordinarily appear in a bank’s pouch.
8. If the courier, or the referral agent who works for the courier, has an account with the
bank, review an appropriate sample of their account activity.
9. On the basis of examination procedures completed, including transaction testing, form a
conclusion about the adequacy of policies, procedures, and processes associated with
pouch activity.
31
Refer to core examination procedures, “International Transportation of Currency or Monetary Instruments
Reporting,” on page 139, for additional guidance.
Risk Factors
Banks should ensure that their monitoring systems adequately capture transactions conducted
electronically. As with any account, they should be alert to anomalies in account behavior.
Red flags may include the velocity of funds in the account or, in the case of ATMs, the
number of debit cards associated with the account.
Accounts that are opened without face-to-face contact may be a higher risk for money
laundering and terrorist financing for the following reasons:
32
Refer to the FFIEC Information Technology Examination Handbook.
basis.33 Banks may also institute other controls, such as establishing transaction dollar limits
for large items that require manual intervention to exceed the preset limit.
Risk Factors
RDC may expose banks to various risks, including money laundering, fraud, and information
security. Fraudulent, sequentially numbered, or physically altered documents, particularly
money orders and traveler’s checks, may be more difficult to detect when submitted by RDC
and not inspected by a qualified person. Banks may face challenges in controlling or
knowing the location of RDC equipment, because the equipment can be readily transported
from one jurisdiction to another. This challenge is increased as foreign correspondents and
foreign money services businesses are increasingly using RDC services to replace pouch and
certain instrument processing and clearing activities. Inadequate controls could result in
intentional or unintentional alterations to deposit item data, resubmission of a data file, or
duplicate presentment of checks and images at one or multiple financial institutions. In
addition, original deposit items are not typically forwarded to banks, but instead the customer
or the customer’s service provider retains them. As a result, record keeping, data safety, and
integrity issues may increase.
Higher-risk customers may be defined by industry, incidence of fraud, or other criteria.
Examples of higher-risk parties include online payment processors, certain credit-repair
services, certain mail order and telephone order companies, online gambling operations,
businesses located offshore, and adult entertainment businesses.
Risk Mitigation
Management should develop appropriate policies, procedures, and processes to mitigate the
risks associated with RDC services and to effectively monitor for unusual or suspicious
activity. Examples of risk mitigants include:
33
For additional information, refer to Authentication in an Internet Banking Environment issued by the FFIEC,
October 13, 2005.
34
Franking involves printing or stamping such phrases as “Processed” or “Electronically Processed” on the
front of the original check. This process is used as an indicator that the paper check has already been
electronically processed, and, therefore, should not be subsequently physically deposited.
Examination Procedures
Electronic Banking
Objective. Assess the adequacy of the bank’s systems to manage the risks associated with
electronic banking (e-banking) customers, including Remote Deposit Capture (RDC) activity,
and management’s ability to implement effective monitoring and reporting systems.
1. Review the policies, procedures, and processes related to e-banking, including RDC
activity as appropriate. Evaluate the adequacy of the policies, procedures, and processes
given the bank’s e-banking activities and the risks they present. Assess whether the
controls are adequate to reasonably protect the bank from money laundering and terrorist
financing.
2. From a review of MIS and internal risk rating factors, determine whether the bank
effectively identifies and monitors higher-risk e-banking activities.
3. Determine whether the bank’s system for monitoring e-banking, including RDC activity
as appropriate, for suspicious activities, and for reporting suspicious activities, is
adequate given the bank’s size, complexity, location, and types of customer relationships.
4. If appropriate, refer to the core examination procedures, “Office of Foreign Assets
Control,” page 152, for guidance.
Transaction Testing
5. On the basis of the bank’s risk assessment of its e-banking activities, as well as prior
examination and audit reports, select a sample of e-banking accounts. From the sample
selected, perform the following procedures:
35
Refer to the FFIEC Information Technology Examination Handbook.
36
Fedwire Services is a registered service mark of the Federal Reserve Banks.
37
CHIPS is a private multilateral settlement system owned and operated by The Clearing House Payments Co.,
LLC.
funds. The instructions may be sent in a variety of ways, including by electronic access to
networks operated by the Fedwire or CHIPS payment systems; by access to financial
telecommunications systems, such as Society for Worldwide Interbank Financial
Telecommunication (SWIFT); or e-mail, facsimile, telephone, or telex. Fedwire and CHIPS
are used to facilitate U.S. dollar transfers between two domestic endpoints or the U.S. dollar
segment of international transactions. SWIFT is an international messaging service that is
used to transmit payment instructions for the vast majority of international interbank
transactions, which can be denominated in numerous currencies.
Fedwire
Fedwire is operated by the Federal Reserve Banks and allows a participant to transfer funds
from its master account at the Federal Reserve Banks to the master account of any other
bank.38 Payment over Fedwire is final and irrevocable when the Federal Reserve Bank either
credits the amount of the payment order to the receiving bank’s Federal Reserve Bank master
account or sends notice to the receiving bank, whichever is earlier. Although there is no
settlement risk to Fedwire participants, they may be exposed to other risks, such as errors,
omissions, and fraud.
Participants may access Fedwire by three methods:
38
An entity eligible to maintain a master account at the Federal Reserve is generally eligible to participate in the
Fedwire Funds Service. These participants include:
• Depository institutions.
• U.S. agencies and branches of foreign banks.
• Member banks of the Federal Reserve System.
• The U.S. Treasury and any entity specifically authorized by federal statute to use the Federal Reserve
Banks as fiscal agents or depositories.
• Entities designated by the Secretary of the Treasury.
• Foreign central banks, foreign monetary authorities, foreign governments, and certain international
organizations.
• Any other entity authorized by a Federal Reserve Bank to use the Fedwire Funds Service.
SWIFT
The SWIFT network is a messaging infrastructure, not a payments system, which provides
users with a private international communications link among themselves. The actual funds
movements (payments) are completed through correspondent bank relationships, Fedwire, or
CHIPS. Movement of payments denominated in different currencies occurs through
correspondent bank relationships or over funds transfer systems in the relevant country. In
addition to customer and bank funds transfers, SWIFT is used to transmit foreign exchange
confirmations, debit and credit entry confirmations, statements, collections, and documentary
credits.
Cover Payments
A typical funds transfer involves an originator instructing its bank (the originator’s bank) to
make payment to the account of a payee (the beneficiary) with the beneficiary’s bank. A
cover payment occurs when the originator’s bank and the beneficiary’s bank do not have a
relationship that allows them to settle the payment directly. In that case, the originator’s
bank instructs the beneficiary’s bank to effect the payment and advises that transmission of
funds to “cover” the obligation created by the payment order has been arranged through
correspondent accounts at one or more intermediary banks.
Cross-border cover payments usually involve multiple banks in multiple jurisdictions. For
U.S. dollar transactions, the intermediary banks are generally U.S. banks that maintain
correspondent banking relationships with non-U.S. originators’ banks and beneficiaries’
banks. In the past, SWIFT message protocols allowed cross-border cover payments to be
effected by the use of separate, simultaneous message formats:
• The MT 103 — payment order from the originator’s bank to the beneficiary’s bank with
information identifying the originator and the beneficiary; and
• The MT 202 — bank-to-bank payment orders directing the intermediary banks to “cover”
the originator’s bank’s obligation to pay the beneficiary’s bank.
To address transparency concerns, SWIFT adopted a new message format for cover
payments (the MT 202 COV) that contains mandatory fields for originator and beneficiary
information. Effective November 21, 2009, the MT 202 COV is required for any bank-to-
bank payment for which there is an associated MT 103. The MT 202 COV provides
39
Sources of information on IVTS include:
• FinCEN Advisory FIN-2010-A011, Informal Value Transfer Systems, September 2010
• FinCEN Advisory 33, Informal Value Transfer Systems, March 2003.
• U.S. Treasury Informal Value Transfer Systems Report to the Congress in Accordance with Section 359
of the Patriot Act, November 2002.
• Financial Action Task Force on Money Laundering (FATF), Interpretative Note to Special
Recommendation VI: Alternative Remittance, June 2003.
• FATF, Combating the Abuse of Alternative Remittance Systems, International Best Practices, October
2002.
Risk Factors
Funds transfers may present a heightened degree of risk, depending on such factors as the
number and dollar volume of transactions, geographic location of originators and
beneficiaries, and whether the originator or beneficiary is a bank customer. The size and
complexity of a bank’s operation and the origin and destination of the funds being transferred
determine which type of funds transfer system the bank uses. The vast majority of funds
transfer instructions are conducted electronically; however, examiners need to be mindful
that physical instructions may be transmitted by other informal methods, as described earlier.
Cover payments effected through SWIFT pose additional risks for an intermediary bank that
does not receive either a MT 103 or an adequately completed MT 202 COV that identifies
the originator and beneficiary of the funds transfer. Without this data, the intermediary bank
is unable to monitor or filter payment information. This lack of transparency limits the U.S.
intermediary bank’s ability to appropriately assess and manage the risk associated with
correspondent and clearing operations, monitor for suspicious activity, and screen for OFAC
compliance.
IVTS pose a heightened concern because they are able to circumvent the formal system. The
lack of recordkeeping requirements coupled with the lack of identification of the IVTS
participants may attract money launderers and terrorists. IVTS also pose heightened
BSA/AML concerns because they can evade internal controls and monitoring oversight
established in the formal banking environment. Principals that operate IVTS frequently use
banks to settle accounts.
The risks of PUPID transactions to the beneficiary bank are similar to other activities in
which the bank does business with noncustomers. However, the risks are heightened in
PUPID transactions if the bank allows a noncustomer to access the funds transfer system by
providing minimal or no identifying information. Banks that allow noncustomers to transfer
funds using the PUPID service pose significant risk to both the originating and beneficiary
banks. In these situations, both banks have minimal or no identifying information on the
originator or the beneficiary.
Risk Mitigation
Funds transfers can be used in the placement, layering, and integration stages of money
laundering. Funds transfers purchased with currency are an example of the placement stage.
Detecting unusual activity in the layering and integration stages is more difficult for a bank
because transactions may appear legitimate. In many cases, a bank may not be involved in
the placement of the funds or in the final integration, only the layering of transactions. Banks
should consider all three stages of money laundering when evaluating or assessing funds
transfer risks.
Banks need to have sound policies, procedures, and processes to manage the BSA/AML risks
of its funds transfer activities. Such policies may encompass more than regulatory
recordkeeping minimums and be expanded to cover OFAC obligations. Funds transfer
policies, procedures, and processes should address all foreign correspondent banking
activities, including transactions in which U.S. branches and agencies of foreign banks are
intermediaries for their head offices.
Obtaining CDD information is an important risk mitigation step in providing funds transfer
services. Because of the nature of funds transfers, adequate and effective CDD policies,
procedures, and processes are critical in detecting unusual and suspicious activities. An
effective risk-based suspicious activity monitoring and reporting system is equally important.
Whether this monitoring and reporting system is automated or manual, it should be sufficient
to detect suspicious trends and patterns typically associated with money laundering.
Institutions should have processes for managing correspondent banking relationships in
accordance with section 312 of the USA PATRIOT Act and corresponding regulations (31
CFR 1010.610). Correspondent bank due diligence should take into account the
correspondent’s practices with regard to funds transfers effected through the U.S. bank.
U.S. banks can mitigate risk associated with cover payments by managing correspondent
banking relationships, by observing The Clearing House Payments Co., LLC and the
Wolfsberg Group’s best practices (discussed below) and the SWIFT standards when sending
messages, and by conducting appropriate transaction screening and monitoring.
In May 2009, the Basel Committee on Banking Supervision issued a paper on cross-border
cover payment messages (BIS Cover Payments Paper).40 The BIS Cover Payments Paper
supported increased transparency and encouraged all banks involved in international
payments transactions to adhere to the message standards developed by The Clearing House
Payments Co., LLC and the Wolfsberg Group in 2007. These are:
• Financial institutions should not omit, delete, or alter information in payment messages or
orders for the purpose of avoiding detection of that information by any other financial
institution in the payment process;
• Financial institutions should not use any particular payment message for the purpose of
avoiding detection of information by any other financial institution in the payment
process;
• Subject to all applicable laws, financial institutions should cooperate as fully as
practicable with other financial institutions in the payment process when requested to
provide information about the parties involved; and
• Financial institutions should strongly encourage their correspondent banks to observe
these principles.
In addition, effective monitoring processes for cover payments include:
40
Refer to the Basel Committee on Banking Supervision’s Due diligence and transparency regarding cover
payment messages related to cross-border wire transfers. In addition, during August 2009, the committee,
along with the Clearinghouse Payments Co. LLC, released Q&As in order to enhance understanding of the MT
202 COV.
developed by the intermediary bank. The monitoring process may be similar to that for
MT 103 payments.
• Given the volume of messages and data for large U.S. intermediary banks, a manual
review of every payment order may not be feasible or effective. However, intermediary
banks should have, as part of their monitoring processes, a risk-based method to identify
incomplete fields or fields with meaningless data. U.S. banks engaged in processing
cover payments should have policies to address such circumstances, including those that
involve systems other than SWIFT.
Originating and beneficiary banks should establish effective and appropriate policies,
procedures, and processes for PUPID activity including:
Examination Procedures
Funds Transfers
Objective. Assess the adequacy of the bank’s systems to manage the risks associated with
funds transfers, and management’s ability to implement effective monitoring and reporting
systems. This section expands the core review of the statutory and regulatory requirements
of funds transfers to provide a broader assessment of AML risks associated with this activity.
1. Review the policies, procedures, and processes related to funds transfers. Evaluate the
adequacy of the policies, procedures, and processes given the bank’s funds transfer
activities and the risks they present. Assess whether the controls are adequate to
reasonably protect the bank from money laundering and terrorist financing.
2. Review MIS and internal risk rating factors, and determine whether the bank effectively
identifies and monitors funds transfer activities.
3. Evaluate the bank’s risks related to funds transfer activities by analyzing the frequency
and dollar volume of funds transfers, jurisdictions, and the bank’s role in the funds
transfer process (e.g., whether it is the originator’s bank, intermediary bank, or
beneficiary’s bank). These factors should be evaluated in relation to the bank’s size, its
location, and the nature of its customer and correspondent account relationships.
4. Determine whether an audit trail of funds transfer activities exists. Determine whether an
adequate separation of duties or other compensating controls are in place to ensure proper
authorization for sending and receiving funds transfers and for correcting postings to
accounts.
5. Determine whether the bank’s system for monitoring funds transfers and for reporting
suspicious activities is adequate given the bank’s size, complexity, location, and types of
customer relationships. Determine whether suspicious activity monitoring and reporting
systems include:
• Funds transfers purchased with currency.
• Transactions in which the bank is acting as an intermediary.
• All SWIFT message formats, including MT 103, MT 202, and MT 202 COV.
• Transactions in which the bank is originating or receiving funds transfers from
foreign financial institutions, particularly to or from jurisdictions with strict privacy
and secrecy laws or those identified as higher risk.
• Frequent currency deposits or funds transfers and then subsequent transfers,
particularly to a larger institution or out of the country.
6. Review the bank’s procedures for cross-border funds transfers:
• Determine whether the bank’s processes for foreign correspondent bank due
diligence, as required under section 312 of the USA PATRIOT Act and
corresponding regulations include the review and evaluation of the transparency
practices of the bank’s correspondents who are involved in cross-border funds
transfers through the bank (for example, whether correspondents are appropriately
utilizing the MT 202 COV message format).
• As applicable and if not already performed, review the bank’s procedures to ensure
compliance with the Travel Rule, including appropriate use of the MT 202 COV
format.
• Assess the bank’s policies for cooperating with its correspondents when they request
the bank to provide information about parties involved in funds transfers.
• Assess the adequacy of the bank’s procedures for addressing isolated as well as,
repeated instances where payment information received from a correspondent is
missing, manifestly meaningless or incomplete, or suspicious.
7. Determine the bank’s procedures for payable upon proper identification (PUPID)
transactions.
• Beneficiary bank — determine how the bank disburses the proceeds (i.e., by currency
or official check).
• Originating bank — determine whether the bank allows PUPID funds transfers for
noncustomers. If so, determine the type of funds accepted (i.e., by currency or
official check).
8. If appropriate, refer to the core examination procedures, “Office of Foreign Assets
Control,” page 152, for guidance.
Transaction Testing
9. On the basis of the bank’s risk assessment of funds transfer activities, as well as prior
examination and audit reports, select a sample of higher-risk funds transfer activities,
which may include the following:
• Funds transfers purchased with currency.
• Transactions in which the bank is acting as an intermediary, such as cover payments.
• Transactions in which the bank is originating or receiving funds transfers from
foreign financial institutions, particularly to or from jurisdictions with strict privacy
and secrecy laws or those identified as higher risk.
• PUPID transactions.
10. From the sample selected, analyze funds transfers to determine whether the amounts,
frequency, and jurisdictions of origin or destination are consistent with the nature of the
business or occupation of the customer.
11. In addition, for funds transfers processed using the MT 202 and MT 202 COV message
formats, review the sample of messages to determine whether the bank has used the
appropriate message formats and has included complete originator and beneficiary
information (e.g., no missing or meaningless information).
12. On the basis of examination procedures completed, including transaction testing, form a
conclusion about the adequacy of policies, procedures, and processes associated with
funds transfer activity.
41
In the electronic check conversion process, merchants that receive a check for payment do not collect the
check through the check collection system, either electronically or in paper form. Instead, merchants use the
information on the check to initiate a type of electronic funds transfer known as an ACH debit to the check
writer’s account. The check is used to obtain the bank routing number, account number, check serial number,
and dollar amount for the transaction, and the check itself is not sent through the check collection system in any
form as a payment instrument. Merchants use electronic check conversion because it can be a more efficient
way for them to obtain payment than collecting the check.
42
Refer to the NACHA Web site.
43
The Federal Reserve Banks operate FedACH, a central clearing facility for transmitting and receiving ACH
payments, and FedGlobal, which sends cross-border ACH credits payments to more than 35 countries around
the world, plus debit payments to Canada only.
44
Refer to OCC Bulletin 2006-39, “Automated Clearing House Activities: Risk Management Guidance”
(September 1, 2006).
accountholder receiving funds (payee). Within the ACH system, these participants and users
are known by the following terms:
45
For additional information on the IAT, refer to the NACHA Web site.
46
“Financial agency” means an entity that is authorized by applicable law to accept deposits or is in the
business of issuing money orders or transferring funds.
Definition of IAT
An IAT is an ACH entry that is part of a payment transaction involving a financial agency’s
office that is not located in the territorial jurisdiction of the United States. An office of a
financial agency is involved in the payment transaction if one or more of the following
conditions are met:
• The ultimate foreign beneficiary of the funds transfer when the proceeds from a debit
inbound IAT entry are “for further credit to” an ultimate foreign beneficiary that is other
than the Originator of the debit IAT entry, or
• The foreign party funding a credit inbound IAT entry when that party is not the
Originator of the credit IAT entry.
Refer to www.nacha.org/c/IATIndustryInformation.cfmfor more information on additional
data available to banks under the new IAT format.
47
For convenience, this information is sometimes referred to as “Travel Rule” information, but as a technical
matter the funds transfer recordkeeping and travel rules at 31 CFR 1010.410(f)) do not apply to ACH
transactions and NACHA operating rules have not changed.
48
Third-party service provider is a generic term for any business that provides services to a bank. A third-party
payment processor is a specific type of service provider that processes payments such as checks, ACH files, or
credit and debit card messages or files. Refer to expanded overview section, “Third-Party Payment Processors,”
page 234, for additional guidance.
49
When independent TPSPs contract with independent sales organizations or other third-party payment
processors, there may be two or more layers between the ODFI and the Originator.
sender is a type of service provider that acts on behalf of an Originator (i.e., an intermediary
between the Originator and the ODFI). For example, a third-party sender may be a customer
of the bank processing ACH transactions on behalf of an Originator. In a third-party sender
arrangement, there is no contractual agreement between the ODFI and the Originator. A
sending point is defined as an entity that transmits entries to an ACH Operator on behalf of
an ODFI.
The functions of these TPSPs can include, but are not limited to, the creation of ACH files on
behalf of the Originator or ODFI, or acting as a sending point of an ODFI (or receiving point
on behalf of an RDFI).
Risk Factors
The ACH system was designed to transfer a high volume of low-dollar domestic transactions,
which pose lower BSA/AML risks. Nevertheless, the ability to send high-dollar and
international transactions through the ACH may expose banks to higher BSA/AML risks.
Banks without a robust BSA/AML monitoring system may be exposed to additional risk
particularly when accounts are opened over the Internet without face-to-face contact.
ACH transactions that are originated through a TPSP (that is, when the Originator is not a
direct customer of the ODFI) may increase BSA/AML risks, therefore, making it difficult for
an ODFI to underwrite and review Originator transactions for compliance with BSA/AML
rules.50 Risks are heightened when neither the TPSP nor the ODFI performs due diligence on
the companies for whom they are originating payments.
Certain ACH transactions, such as those originated through the Internet or the telephone,
may be susceptible to manipulation and fraudulent use. Certain practices associated with
how the banking industry processes ACH transactions may expose banks to BSA/AML risks.
These practices include:
• An ODFI authorizing a TPSP to send ACH files directly to an ACH Operator, in essence
bypassing the ODFI.
• ODFIs and RDFIs relying on each other to perform adequate due diligence on their
customers.
• Batch processing that obscures the identities of originators.
• Lack of sharing of information on or about originators and receivers inhibits a bank’s
ability to appropriately assess and manage the risk associated with correspondent and
ACH processing operations, monitor for suspicious activity, and screen for OFAC
compliance.
50
A bank’s underwriting policy should define what information each application should contain. The depth of
the review of an originator’s application should match the level of risk posed by the originator. The
underwriting policy should require a background check of each originator to support the validity of the
business.
Risk Mitigation
The BSA requires banks to have BSA/AML compliance programs and appropriate policies,
procedures, and processes in place to monitor and identify unusual activity, including ACH
transactions. Obtaining CDD information in all operations is an important mitigant of
BSA/AML risk in ACH transactions. Because of the nature of ACH transactions and the
reliance that ODFIs and RDFIs place on each other for OFAC reviews and other necessary
due diligence information, it is essential that all parties have a strong CDD program for
regular ACH customers. For relationships with TPSPs, CDD on the TPSP can be
supplemented with due diligence on the principals associated with the TPSP and, as
necessary, on the originators. Adequate and effective CDD policies, procedures, and
processes are critical in detecting a pattern of unusual and suspicious activities because the
individual ACH transactions are typically not reviewed. Equally important is an effective
risk-based suspicious activity monitoring and reporting system. In cases where a bank is
heavily reliant upon the TPSP, a bank may want to review the TPSP’s suspicious activity
monitoring and reporting program, either through its own or an independent inspection. The
ODFI may establish an agreement with the TPSP, which delineates general TPSP guidelines,
such as compliance with ACH operating requirements and responsibilities and meeting other
applicable state and federal regulations. Banks may need to consider controls to restrict or
refuse ACH services to potential originators and receivers engaged in questionable or
deceptive business practices.
ACH transactions can be used in the layering and integration stages of money laundering.
Detecting unusual activity in the layering and integration stages can be a difficult task,
because ACH may be used to legitimize frequent and recurring transactions. Banks should
consider the layering and integration stages of money laundering when evaluating or
assessing the ACH transaction risks of a particular customer.
The ODFI should be aware of IAT activity and evaluate the activity using a risk-based
approach in order to ensure that suspicious activity is identified and monitored. The ODFI, if
frequently involved in IATs, may develop a separate process, which may be automated, for
reviewing IATs that minimizes disruption to general ACH processing, reconcilement, and
settlement.
The potentially higher risk inherent in IATs should be considered in the bank’s ACH
policies, procedures, and processes. The bank should consider its current and potential roles
and responsibilities when developing internal controls to monitor and mitigate the risk
associated with IATs and to comply with the bank’s suspicious activity reporting obligations.
In processing IATs, banks should consider the following:
• Appropriate MIS, including the potential necessity for systems upgrades or changes.
• Processing procedures (e.g., identifying and handling IATs, resolving OFAC hits, and
handling noncompliant and rejected messages).
• Training programs for appropriate bank personnel (e.g., ACH personnel, operations,
compliance audit, customer service, etc.).
• Legal agreements, including those with customers, third-party processors, and vendors,
and whether those agreements need to be upgraded or modified.
OFAC Screening
ACH transactions may involve persons or parties that are subject to the sanctions programs
administered by OFAC. (Refer to core overview section, “Office of Foreign Assets Control,”
page 142, for additional guidance.) OFAC has clarified its interpretation of the application of
its rules for domestic and cross-border ACH transactions and provided more detailed
guidance on cross-border ACH.51
With respect to domestic ACH transactions, the ODFI is responsible for verifying that the
Originator is not a blocked party and making a good faith effort to ascertain that the
Originator is not transmitting blocked funds. The RDFI similarly is responsible for verifying
that the Receiver is not a blocked party. In this way, the ODFI and the RDFI are relying on
each other for compliance with OFAC regulations.
If an ODFI receives domestic ACH transactions that its customer has already batched, the
ODFI is not responsible for unbatching those transactions to ensure that no transactions
violate OFAC’s regulations. If an ODFI unbatches a file originally received from the
Originator in order to process “on-us” transactions, that ODFI is responsible for the OFAC
compliance for the on-us transactions because it is acting as both the ODFI and the RDFI for
those transactions. ODFIs acting in this capacity should already know their customers for the
purpose of compliance with OFAC and other regulatory requirements. For the residual
unbatched transactions in the file that are not "on-us," as well as those situations where banks
deal with unbatched ACH records for reasons other than to strip out the on-us transactions,
banks should determine the level of their OFAC risk and develop appropriate policies,
procedures, and processes to address the associated risks. Such policies might involve
screening each unbatched ACH record. Similarly, banks that have relationships with TPSP
should assess the nature of those relationships and their related ACH transactions to ascertain
the bank’s level of OFAC risk and to develop appropriate policies, procedures, and processes
to mitigate that risk.
With respect to cross-border screening, similar but somewhat more stringent OFAC
screening obligations hold for IATs. In the case of inbound IATs, and regardless of whether
the OFAC flag in the IAT is set, an RDFI is responsible for compliance with OFAC
sanctions. For outbound IATs, the ODFI should not rely on OFAC screening by an RDFI
outside of the United States. In these situations, the ODFI must exercise increased diligence
to ensure that illegal transactions are not processed.
51
Refer to Interpretive Note 041214-FACRL-GN-02.
Due diligence for an inbound or outbound IAT may include screening the parties to a
transaction, as well as reviewing the details of the payment field information for an
indication of a sanctions violation, investigating the resulting hits, if any, and ultimately
blocking or rejecting the transaction, as appropriate. Refer to the core overview section,
“Office of Foreign Asset Control,” page 142, for additional guidance.
In guidance issued on March 10, 2009, OFAC authorized institutions in the United States
when they are acting as an ODFI/Gateway for inbound IAT debits to reject transactions that
appear to involve blockable property or property interests.52 The guidance further stated that
to the extent that an ODFI/Gateway screens inbound IAT debits for possible OFAC
violations prior to execution and in the course of such screening discovers a potential OFAC
violation, the suspect transaction is to be removed from the batch for further investigation. If
the ODFI/Gateway determines that the transaction does appear to violate OFAC regulations,
the ODFI/Gateway should refuse to process the transfer. The procedure applies to
transactions that would normally be blocked as well as to transactions that would normally be
rejected for OFAC purposes based on the information in the payments.
Additional information on the types of retail payment systems (ACH payment systems) is
available in the FFIEC Information Technology Examination Handbook’s Retail Payment
Systems booklet.
52
Refer to OFAC letter (March 10, 2009).
Examination Procedures
Automated Clearing House Transactions
Objective. Assess the adequacy of the bank’s systems to manage the risks associated with
automated clearing house (ACH) and international ACH transactions (IAT) and
management’s ability to implement effective monitoring and reporting systems.
1. Review the policies, procedures, and processes related to ACH transactions, including
IATs. Evaluate the adequacy of the policies, procedures, and processes given the bank’s
ACH transactions, including IATs, and the risks they present. Assess whether the
controls are adequate to reasonably protect the bank from money laundering and terrorist
financing.
2. From review of MIS and internal risk rating factors, determine whether the bank
effectively identifies and monitors higher-risk customers using ACH transactions,
including IATs.
3. Evaluate the bank’s risks related to ACH transactions, including IATs, by analyzing the
frequency and dollar volume and types of ACH transactions in relation to the bank’s size,
its location, the nature of its customer account relationships, and the location of the origin
or destination of IATs relative to the bank’s location.
4. Determine whether the bank’s system for monitoring customers, including third-party
service providers (TPSP), using ACH transactions and IATs for suspicious activities, and
for reporting of suspicious activities, is adequate given the bank’s size, complexity,
location, and types of customer relationships. Determine whether internal control
systems include:
Transaction Testing
6. On the basis of the bank’s risk assessment of customers with ACH transactions as well as
prior examination and audit reports, select a sample of higher-risk customers, including
TPSPs, with ACH transactions or IATs, which may include the following:
• Customers initiating ACH transactions, including IATs, from the Internet or via
telephone, particularly from an account opened on the Internet or via the telephone
without face-to-face interaction.
• Customers whose business or occupation does not warrant the volume or nature of
ACH or IAT activity.
• Customers who have been involved in the origination or receipt of duplicate or
fraudulent ACH transactions or IATs.
• Customers or originators (clients of customers) that are generating a high rate or high
volume of invalid account returns, consumer unauthorized returns, or other
unauthorized transactions.
7. From the sample selected, analyze ACH transactions, including IATs, to determine
whether the amounts, frequency, and jurisdictions of origin or destination are consistent
with the nature of the business or occupation of the customer. A review of the account
opening documentation, including CIP documentation, may be necessary in making these
determinations. Identify any suspicious or unusual activity.
8. On the basis of examination procedures completed, including transaction testing, form a
conclusion about the adequacy of policies, procedures, and processes associated with
ACH transactions and IATs.
Prepaid Cards
Prepaid access can cover a variety of products, functionalities, and technologies. Physical
access, issued in the form of prepaid cards, is currently the most popular form and is widely
used for payments by governments, businesses and consumers. Most payment networks
require that their branded prepaid cards be issued by a bank that is a member of that payment
network. Prepaid cards operate within either an “open” or “closed” loop system. Open loop
prepaid cards can be used for purchases at any merchant that accepts cards issued for use on
the payment network associated with the card and to access cash at any automated teller
machine (ATM) that connects to the affiliated ATM network. Examples of open loop
prepaid cards include payroll cards, general purpose reloadable (GPR) cards, and certain gift
cards. Some prepaid cards may be reloaded, allowing the cardholder or other person (such as
an employer) to add value. Closed loop prepaid cards generally can only be used to buy
goods or services from the merchant issuing the card or a select group of merchants or
service providers that participate in a specific network. Examples of closed loop prepaid
cards include merchant-specific retail gift cards, mall cards, and mass transit system cards.
53
31 CFR 1010.100(ww).
Closed loop prepaid cards generally do not allow for cash access, although they can often be
resold through third-party Web sites in exchange for other closed loop cards or payment via
check, ACH or other method.
Prepaid cards are highly flexible and can be customized to meet the needs of the specific
program. Some prepaid card programs are designed for specific limited-use purposes, such
as flexible spending account (FSA) or health savings account (HSA) cards that can be used to
purchase specific health-related services. Some prepaid card programs are used by state and
federal government agencies to disburse government benefits (e.g., disability,
unemployment, etc.) or provide income tax refunds, or by employers to deliver wage and
salary payments.
Like debit cards, prepaid cards provide a compact and transportable way to maintain and
access funds. Consumers use prepaid cards in a variety of ways, such as purchasing
products, making transfers to other cardholders within the prepaid program, and paying bills.
They also offer individuals an alternative to cash and money orders. As an alternate method
of cross-border funds transmittal, a small number of prepaid card programs may issue
multiple cards per account, so that persons in another country or jurisdiction can access the
funds loaded by the original cardholder via ATM withdrawals of cash or merchant purchases.
For such programs, risk-based customer due diligence should be conducted on the original
cardholder and transactions should be subjected to risk-based monitoring.
• Program Manager. Runs the program’s day-to-day operations. This entity may or may
not also be the entity that creates the program and designs the features and characteristics
of the prepaid product. May be a provider of prepaid access (Money Services Business
(MSB)) under FinCEN’s rule.54
• Network. Any of the payment networks that clear, settle, and process transactions.
• Provider of Prepaid Access. A participant within a prepaid program that agrees to serve
as the principal conduit for access to information from its fellow program participants.
The provider must register with FinCEN as an MSB and identify each prepaid program
for which it is the provider of prepaid access. As an MSB, providers of prepaid access
are subject to certain BSA/AML responsibilities. A bank that serves as a provider of
prepaid access has no requirement to register with FinCEN.
• Payment Processor. The entity that tracks and manages transactions and may be
responsible for account set-up and activation; adding value to products; and fraud control
and reporting.
54
31 CFR 1010.100(ff)(4)(i)
• Issuing Bank. A bank that offers network branded prepaid products to consumers and
may serve as the holder of funds that have been prepaid and are awaiting instructions to
be disbursed.
Contractual Agreements
Each relationship that a U.S. bank has with another financial institution or third party as part
of a prepaid access program should be governed by an agreement or a contract describing
each party’s responsibilities and other relationship details, such as the products and services
provided. The agreement or contract should also consider each party’s BSA/AML and
OFAC compliance requirements, customer base, due diligence procedures, and any payment
network obligations. The issuing bank maintains ultimate responsibility for BSA/AML
compliance whether or not a contractual agreement has been established.
Risk Factors
As with other payment instruments, money laundering, terrorist financing, and other criminal
activity may occur through prepaid access and prepaid card programs if effective controls are
not in place. For example, law enforcement investigations have found that some prepaid
holders have used false identification and funded their initial loads with stolen credit cards,
or have purchased multiple prepaid cards under aliases. In the placement phase of money
laundering, because many domestic and offshore banks offer prepaid access products or
services with currency access through ATMs internationally, criminals may load cash from
illicit sources onto prepaid access products and send them to accomplices inside or outside
the United States. Generally, domestically issued prepaid cards can only be loaded in the
United States. Investigations have disclosed that both open and closed loop prepaid cards
have been used in conjunction with, or as a replacement to, bulk cash smuggling. Although
prepaid access is increasingly regulated and is issued by highly regulated banks, some third
parties involved in marketing or distributing prepaid access programs may or may not be
subject to regulatory requirements, oversight, and supervision. In addition, these
requirements may vary by party.
Prepaid access programs are extremely diverse in the range of products and services offered
and the customer bases they serve. In evaluating the risk profile of a prepaid access program,
banks should consider the program’s specific features and functionalities. Higher potential
money laundering risk associated with prepaid access would result if the holder is
anonymous, or if the holder or purchaser provides fictitious holder/purchaser information.
Higher risk is also associated with cash access (especially internationally), and the volume
and velocity of funds that can be loaded or transacted. Other risk factors include type and
frequency of loads and transactions, geographic location where the transaction activity
occurs, the relationships between the bank and parties associated with the program, value
limits, distribution channels, and the nature of funding sources. Transactions using prepaid
access may pose the following unique risks to the bank:
• As with other modes of electronic payments (e.g., ACH, wire transfer, credit and debit
cards), holders may be able to use prepaid access products internationally, thus avoiding
border restrictions and reporting requirements applicable to cash and monetary
instruments.
• Data in underlying pooled accounts may be held or managed by third parties, separate
from the issuing bank.
• Source of payroll funding may come through an intermediary bank and may not be
transparent.
Risk Mitigation
Banks that offer prepaid access or otherwise participate in prepaid access programs should
have policies, procedures, and processes sufficient to manage the related BSA/AML risks as
required under the BSA and implementing regulations, as well as under payment network
rules. Guidance provided by the Network Branded Prepaid Card Association is an additional
resource for banks that provide prepaid card services.55
BSA/AML risk mitigation is an important factor for prepaid access programs, involving
several key components:
• Conducting a risk assessment of the prepaid access product itself including product
features and how it is distributed and loaded.
• Monitoring transactions conducted or attempted by, at or through the bank for unusual or
suspicious activity.
55
Refer to “Recommended Practices for Anti-Money Laundering Compliance for U.S.-Based Prepaid Card
Programs,” February 28, 2008.
• The policies on outsourcing should include processes for (1) documenting in writing the
roles and responsibilities of the parties, (2) maintaining the confidentiality of customer
information, and (3) maintaining the necessary access to information. The policies
should include the right to audit the third party to monitor its performance.
• The identity and location of all third parties involved in selling or distributing the prepaid
access program, including any subagents.
• The type, purpose, and anticipated activity of the prepaid access program.
Customers/Prepaid Users
Customer due diligence regarding the purchaser and/or the user(s) of the prepaid product can
also be important BSA/AML risk mitigant and may include:
• Whether the source of funds is known and trusted (such as corporate or government
loads, vs. loads by individuals).
• The nature of the third parties’ businesses and the markets and customer bases served.
• The information collected to identify and verify the holders’ identity.
• The nature and duration of the bank’s relationship with third parties who are the source of
funds in the prepaid access program.
• The company requesting payroll funding and the source of payroll funding.
• The ability to monitor and track loads, transactions and velocity.
As part of their system of internal controls, banks should establish a means for monitoring,
identifying, and reporting suspicious activity related to prepaid access programs. This
reporting obligation extends to all transactions by, at, or through the bank, including those in
an aggregated form. Banks may need to establish protocols to regularly obtain transaction
information from processors or other third parties. Monitoring systems should have the
ability to identify foreign activity, bulk purchases made by one individual, and multiple
purchases made by related parties. In addition, procedures should include monitoring for
unusual activity patterns, such as:
• cash loads followed immediately by withdrawals of the full amount from another
location, or
• multiple unrelated funds transfers onto the prepaid access product, such as in tax refund
fraud situations where multiple tax refunds are loaded onto one card.
Various management information system reports (MIS) may be useful for detecting unusual
activity on higher-risk accounts. Those reports include ATM activity reports (focusing on
foreign transactions), funds transfer reports, new account activity reports, change of Internet
address reports, Internet Protocol (IP) address reports, and reports to identify related or
linked accounts (e.g., common addresses, phone numbers, e-mail addresses, and taxpayer
identification numbers).
Examination Procedures
Prepaid Access
Objective. Assess the adequacy of the bank’s systems to manage the risks associated with
prepaid access, and management’s ability to implement effective monitoring and reporting
systems.
1. Review the policies, procedures, and processes related to prepaid access. Evaluate the
risks posed by the prepaid access products offered, and the adequacy of the policies,
procedures, and processes given the risks such prepaid access products present. Assess
whether the controls are adequate to reasonably protect the bank from money laundering
and terrorist financing.
2. Review the due diligence undertaken by the bank regarding third-party service providers
such as program managers, processors, marketers, merchants and distributors. Assess
whether existing onboarding and ongoing oversight programs are reasonably satisfactory
to protect the bank.
3. From a review of MIS and internal risk rating factors, determine whether the bank
effectively identifies and monitors higher-risk prepaid access transactions, such as
transactions involving unknown sources of funds (as opposed to funds received from a
long-term commercial customer or federal, state or local government entity) as well as
transactions involving international cash access/ATM transactions (as opposed to
domestic merchandise-only transactions).
4. Determine whether the bank’s prepaid access program is governed by an agreement or a
contract describing each party’s responsibilities and other relationship details, such as the
products and services provided. At a minimum, the contract should consider each
party’s:
• customer base;
• network obligations.
5. Determine whether the bank’s system for monitoring prepaid access transactions for
suspicious activities, and for reporting suspicious activities, is adequate given the bank’s
size, complexity, location, customer profile, and types of prepaid access products offered.
6. If appropriate, refer to the examination procedures, “Office of Foreign Assets Control,”
page 152; “Third Party Payment Processors,” page 239; and “Nonbank Financial
Institutions,” page 307, for guidance.
Transaction Testing
7. On the basis of the bank’s risk assessment of its prepaid access activities, as well as prior
examination and audit reports, select a sample of prepaid access transactions. From the
sample selected perform the following examination procedures: Review the prepaid
access product configuration(s), including features, how it is distributed, source of funds,
and what BSA/AML risk mitigants apply.
Risk Factors
Processors generally are not subject to BSA/AML regulatory requirements. As a result,
some processors may be vulnerable to money laundering, identity theft, fraud schemes, or
other illicit transactions , including those prohibited by OFAC.
The bank’s BSA/AML risks when dealing with a processor account are similar to risks from
other activities in which the bank’s customer conducts transactions through the bank on
56
NACHA – The Electronic Payments Association (NACHA) is the administrator of the Automated Clearing
House (ACH) Network. The ACH Network is governed by the NACHA Operating Rules, which provides the
legal foundation for the exchange of ACH and IAT payments. The NACHA Web site includes additional
information about the ACH payment system.
57
A remotely created check (sometimes called a “demand draft”) is a check that is not created by the paying
bank (often created by a payee or its service provider), drawn on a customer’s bank account. The check often is
authorized by the customer remotely, by telephone or online, and, therefore, does not bear the customer’s
handwritten signature.
58
FDIC Clarifying Supervisory Approach to Institutions Establishing Account Relationships with Third-Party
Payment Processors, FDIC FIL-41-2014, July 28, 2014; Payment Processor Relationships Revised Guidance,
FDIC FIL-3-2012, January 31, 2012; Risk Management Guidance: Payment Processors, OCC Bulletin 2008-
12, April 24, 2008; Risk Management Guidance: Third Party Relationships, OCC Bulletin 2013-29, October
30, 2013; and Risk Associated with Third-Party Payment Processors, FinCEN Advisory FIN-2012-A010,
October 22, 2012.
behalf of the customer’s clients. When the bank is unable to identify and understand the
nature and source of the transactions processed through an account, the risks to the bank and
the likelihood of suspicious activity can increase. If a bank has not implemented an adequate
processor-approval program that goes beyond credit risk management, it could be vulnerable
to processing illicit or OFAC-sanctioned transactions.
While payment processors generally affect legitimate payment transactions for reputable
merchants, the risk profile of such entities can vary significantly depending on the make-up
of their customer base. Banks with third-party payment processor customers should be aware
of the heightened risk of returns and use of services by higher-risk merchants. Some higher-
risk merchants routinely use third parties to process their transactions because they do not
have a direct bank relationship. Payment processors pose greater money laundering and
fraud risk if they do not have an effective means of verifying their merchant clients’
identities and business practices. Risks are heightened when the processor does not perform
adequate due diligence on the merchants for which they are originating payments.
Risk Mitigation
Banks offering account services to processors should develop and maintain adequate policies,
procedures, and processes to address risks related to these relationships. At a minimum,
these policies should authenticate the processor’s business operations and assess their risk
level. A bank may assess the risks associated with payment processors by considering the
following:
• Implementing a policy that requires an initial background check of the processor (using,
for example, the Federal Trade Commission Web site, Better Business Bureau,
Nationwide Multi-State Licensing System & Registry (NMLS), NACHA, state
incorporation departments, Internet searches, and other investigative processes), its
principal owners, and of the processor’s underlying merchants, on a risk-adjusted basis in
order to verify their creditworthiness and general business practices.
• Reviewing the processor’s promotional materials, including its Web site, to determine the
target clientele. A bank may develop policies, procedures, and processes that restrict the
types of entities for which it allows processing services. These restrictions should be
clearly communicated to the processor at account opening.
• Determining whether the processor re-sells its services to a third party who may be
referred to as an “agent or provider of Independent Sales Organization (ISO)
opportunities” or “gateway” arrangements.59
• Reviewing the processor’s policies, procedures, and processes to determine the adequacy
of its due diligence standards for new merchants.
59
Gateway arrangements are similar to an Internet service provider with excess computer storage capacity that
sells its capacity to a third party that would then distribute computer services to various other individuals
unknown to the provider. The third party would be making decisions about who would be receiving the service,
although the provider would be providing the ultimate storage capacity. Thus, the provider bears all of the risks
while receiving a smaller profit.
• Requiring the processor to identify its major customers by providing information such as
the merchant’s name, principal business activity, geographic location, and transaction
volume.
• Verifying directly, or through the processor, that the merchant is operating a legitimate
business by comparing the merchant’s identifying information against public record
databases, and fraud and bank check databases.
• Reviewing corporate documentation including independent reporting services and, if
applicable, documentation on principal owners.
• Visiting the processor’s business operations center.
• Reviewing appropriate databases to ensure that the processor and its principal owners and
operators have not been subject to law enforcement actions.
Banks that provide account services to third-party payment processors should monitor their
processor relationships for any significant changes in the processor’s business strategies that
may affect their risk profile. Banks should periodically re-verify and update the processors’
profiles to ensure the risk assessment is appropriate. Banks should ensure that their
contractual agreements with payment processors provide them with access to necessary
information in a timely manner. Banks should periodically audit their third-party payment
processing relationships; including reviewing merchant client lists and confirming that the
processor is fulfilling contractual obligations to verify the legitimacy of its merchant clients
and their business practices.
In addition to adequate and effective account opening and due diligence procedures for
processor accounts, management should monitor these relationships for unusual and
suspicious activities. To effectively monitor these accounts, the bank should have an
understanding of the following processor information:
• Merchant base.
• Merchant activities.
• Average dollar volume and number of transactions.
• “Swiping” versus “keying” volume for credit card transactions.
• Charge-back history, including rates of return for ACH debit transactions and RCCs.
• Consumer complaints or other documentation that suggest a payment processor’s
merchant clients are inappropriately obtaining personal account information and using it
to create unauthorized RCCs or ACH debits.
With respect to account monitoring, a bank should thoroughly investigate high levels of
returns and should not accept high levels of returns on the basis that the processor has
provided collateral or other security to the bank. High levels of RCCs or ACH debits
returned for insufficient funds or as unauthorized can be an indication of fraud or suspicious
activity. Therefore, return rate monitoring should not be limited to only unauthorized
transactions, but include returns for other reasons that may warrant further review, such as
unusually high rates of return for insufficient funds or other administrative reasons.
FFIEC BSA/AML Examination Manual 237 11/17/2014
Third-Party Payment Processors — Overview
Transactions should be monitored for patterns that may be indicative of attempts to evade
NACHA limitations on returned entries. For example, resubmitting a transaction under a
different name or for slightly modified dollar amounts can be an attempt to circumvent these
limitations and are violations of the NACHA Rules. 60
A bank should implement appropriate policies, procedures, and processes that address
compliance and fraud risks. Policies and procedures should outline the bank’s thresholds for
returns and establish processes to mitigate risk from payment processors, as well as possible
actions that can be taken against the payment processors that exceed these standards.
If the bank determines a SAR is warranted, FinCEN has requested banks check the
appropriate box on the SAR report to indicate the type of suspicious activity, and include the
term “payment processor,” in both the narrative and the subject occupation portions of the
SAR.
60
Refer to NACHA Operating Rules.
Examination Procedures
Third-Party Payment Processors
Objective. Assess the adequacy of the bank’s systems to manage the risks associated with its
relationships with third-party payment processors, and management’s ability to implement
effective monitoring and reporting systems.
1. Review the policies, procedures, and processes related to third-party payment processors
(processors). Evaluate the adequacy of the policies, procedures, and processes given the
bank’s processor activities and the risks they present. Assess whether the controls are
adequate to reasonably protect the bank from money laundering and terrorist financing.
2. From a review of MIS and internal risk rating factors, determine whether the bank
effectively identifies and monitors processor relationships, particularly those that pose a
higher risk for money laundering.
3. Determine whether the bank’s system for monitoring processor accounts for suspicious
activities, and for reporting suspicious activities, is adequate given the bank’s size,
complexity, location, and types of customer relationships.
4. If appropriate, refer to the core examination procedures, “Office of Foreign Assets
Control,” page 152, for guidance.
Transaction Testing
5. On the basis of the bank’s risk assessment of its processor activities, as well as prior
examination and audit reports, select a sample of higher-risk processor accounts. From
the sample selected:
Risk Factors
The purchase or exchange of monetary instruments at the placement and layering stages of
money laundering can conceal the source of illicit proceeds. As a result, banks have been
major targets in laundering operations because they provide and process monetary
instruments through deposits. For example, customers or noncustomers have been known to
purchase monetary instruments in amounts below the $3,000 threshold to avoid having to
provide adequate identification. Subsequently, monetary instruments are then placed into
deposit accounts to circumvent the CTR filing threshold.
Risk Mitigation
Banks selling monetary instruments should have appropriate policies, procedures, and
processes in place to mitigate risk. Policies should define:
Examination Procedures
Purchase and Sale of Monetary Instruments
Objective. Assess the adequacy of the bank’s systems to manage the risks associated with
monetary instruments, and management’s ability to implement effective monitoring and
reporting systems. This section expands the core review of statutory and regulatory
requirements for purchase and sale of monetary instruments in order to provide a broader
assessment of the money laundering risks associated with this activity.
1. Review the policies, procedures, and processes related to the sale of monetary
instruments. Evaluate the adequacy of the policies, procedures, and processes given the
bank’s monetary instruments activities and the risks they present. Assess whether
controls are adequate to reasonably protect the bank from money laundering and terrorist
financing.
2. From the volume of sales and the number of locations where monetary instruments are
sold, determine whether the bank appropriately manages the risks associated with
monetary instrument sales.
3. Determine whether the bank’s system for monitoring monetary instruments for suspicious
activities, and for reporting suspicious activities, is adequate given the bank’s volume of
monetary instrument sales, size, complexity, location, and types of customer
relationships. Determine whether suspicious activity monitoring and reporting systems
(either manual or automated) include a review of:
Transaction Testing
5. On the basis of the bank’s risk assessment, as well as prior examination and audit reports,
select a sample of monetary instrument transactions for both customers and noncustomers
from:
61
Money launderers are known to identify the ownership or source of illegal funds through the use of unique
and unusual stamps.
Risk Factors
Money laundering and terrorist financing risks arise because the bank may not know the
ultimate beneficial owners or the source of funds. The deposit broker could represent a range
of clients that may be of higher risk for money laundering and terrorist financing (e.g.,
nonresident or offshore customers, politically exposed persons (PEP), or foreign shell banks).
Risk Mitigation
Banks that accept deposit broker accounts or funds should develop appropriate policies,
procedures, and processes that establish minimum CDD procedures for all deposit brokers
providing deposits to the bank. The level of due diligence a bank performs should be
commensurate with its knowledge of the deposit broker and the deposit broker’s known
business practices and customer base.
In an effort to address the risk inherent in certain deposit broker relationships, banks may
want to consider having a signed contract that sets out the roles and responsibilities of each
party and restrictions on types of customers (e.g., nonresident or offshore customers, PEPs,
or foreign shell banks). Banks should conduct sufficient due diligence on deposit brokers,
especially unknown, foreign, independent, or unregulated deposit brokers. To manage the
BSA/AML risks associated with brokered deposits, the bank should:
62
For the purpose of the CIP rule, in the case of brokered deposits, the “customer” is the broker that opens the
account. A bank does not need to look through the deposit broker’s account to determine the identity of each
individual subaccountholder, it need only verify the identity of the named accountholder.
• Determine whether the deposit broker is a legitimate business in all operating locations
where the business is conducted.
• Review the deposit broker’s business strategies, including customer markets (e.g., foreign
or domestic customers) and methods for soliciting clients.
• Determine whether the deposit broker is subject to regulatory oversight.
• Evaluate whether the deposit broker’s BSA/AML and OFAC policies, procedures, and
processes are adequate (e.g., ascertain whether the deposit broker performs sufficient
CDD including CIP procedures).
• Determine whether the deposit broker screens clients for OFAC matches.
• Evaluate the adequacy of the deposit broker’s BSA/AML and OFAC audits and ensure
that they address compliance with applicable regulations and requirements.
Banks should take particular care in their oversight of deposit brokers who are not regulated
entities and:
Examination Procedures
Brokered Deposits
Objective. Assess the adequacy of the bank’s systems to manage the risks associated with
brokered deposit relationships, and management’s ability to implement effective due
diligence, monitoring, and reporting systems.
1. Review the policies, procedures, and processes related to deposit broker relationships.
Evaluate the adequacy of the policies, procedures, and processes given the bank’s deposit
broker activities and the risks that they present. Assess whether the controls are adequate
to reasonably protect the bank from money laundering and terrorist financing.
2. From a review of MIS and internal risk rating factors, determine whether the bank
effectively identifies and monitors deposit broker relationships, particularly those that
pose a higher risk for money laundering.
3. Determine whether the bank’s system for monitoring deposit broker relationships for
suspicious activities, and for reporting suspicious activities, is adequate given the bank’s
size, complexity, location, and types of customer relationships.
4. If appropriate, refer to the core examination procedures, “Office of Foreign Assets
Control,” page 152, for guidance.
Transaction Testing
5. On the basis of the bank’s risk assessment of its brokered deposit activities, as well as
prior examination and audit reports, select a sample of higher-risk deposit broker
accounts. When selecting a sample, examiners should consider the following:
Sponsoring Bank
Some electronic funds transfers (EFT) or point-of-sale (POS) networks require an ISO to be
sponsored by a member of the network (sponsoring bank). The sponsoring bank and the ISO
are subject to all network rules. The sponsoring bank is also charged with ensuring the ISO
abides by all network rules. Therefore, the sponsoring bank should conduct proper due
diligence on the ISO and maintain adequate documentation to ensure that the sponsored ISO
complies with all network rules.
Risk Factors
Most states do not currently register, limit ownership, monitor, or examine privately owned
ATMs or their ISOs.65 While the provider of the ATM transaction network and the
sponsoring bank should be conducting adequate due diligence on the ISO, actual practices
63
An ISO typically acts as an agent for merchants, including ATM owners, to process electronic transactions.
In some cases, an ATM owner may act as its own ISO processor. Banks may engage the services of an ISO to
solicit merchants and privately owned ATMs; however, in many situations, ISOs contract with merchants and
ATM owners without the review and approval of the clearing bank.
64
Refer to the FFIEC Information Technology Examination Handbook.
65
FinCEN has issued interpretive guidance, Application of the Definition of Money Services Business to Certain
Owner-Operators of Automated Teller Machines Offering Limited Services, FIN-2007-G006, December 3,
2007, clarifying the circumstances under which a nonbank owner and operator of an ATM would be a money
services business for the purposes of the Bank Secrecy Act and its implementing regulations.
may vary. Furthermore, the provider may not be aware of ATM or ISO ownership changes
after an ATM contract has already been established. As a result, many privately owned
ATMs have been involved in, or are susceptible to, money laundering schemes, identity theft,
outright theft of the ATM currency, and fraud. Consequently, privately owned ATMs and
their ISOs pose increased risk and should be treated accordingly by banks doing business
with them.
Due diligence becomes more of a challenge when ISOs sell ATMs to, or subcontract with,
other companies (sub-ISOs) whose existence may be unknown to the sponsoring bank.
When an ISO contracts with or sells ATMs to sub-ISOs, the sponsoring bank may not know
who actually owns the ATM. Accordingly, sub-ISOs may own and operate ATMs that
remain virtually invisible to the sponsoring bank.
Some privately owned ATMs are managed by a vault currency servicer that provides
armored car currency delivery, replenishes the ATM with currency, and arranges for
insurance against theft and damage. Many ISOs, however, manage and maintain their own
machines, including the replenishment of currency. Banks may also provide currency to
ISOs under a lending agreement, which exposes those banks to various risks, including
reputation and credit risk.
Money laundering can occur through privately owned ATMs when an ATM is replenished
with illicit currency that is subsequently withdrawn by legitimate customers. This process
results in ACH deposits to the ISO’s account that appear as legitimate business transactions.
Consequently, all three phases of money laundering (placement, layering, and integration)
can occur simultaneously. Money launderers may also collude with merchants and
previously legitimate ISOs to provide illicit currency to the ATMs at a discount.
Risk Mitigation
Banks should implement appropriate policies, procedures, and processes, including
appropriate due diligence and suspicious activity monitoring, to address risks with ISO
customers. At a minimum, these policies, procedures, and processes should include:
Examination Procedures
Privately Owned Automated Teller Machines
Objective. Assess the adequacy of the bank’s systems to manage the risks associated with
privately owned automated teller machines (ATM) and Independent Sales Organization
(ISO) relationships, and management’s ability to implement effective due diligence,
monitoring, and reporting systems.
1. Review the policies, procedures, and processes related to privately owned ATM accounts.
Evaluate the adequacy of the policies, procedures, and processes given the bank’s
privately owned ATM and ISO relationships and the risk they present. Assess whether
the controls are adequate to reasonably protect the bank from money laundering and
terrorist financing.
2. From a review of MIS and internal risk rating factors, determine whether the bank
effectively identifies and monitors privately owned ATM accounts.
3. Determine whether the bank’s system for monitoring privately owned ATM accounts for
suspicious activities, and for reporting suspicious activities, is adequate given the bank’s
size, complexity, location, and types of customer relationships.
4. Determine whether the bank sponsors network membership for ISOs. If the bank is a
sponsoring bank, review contractual agreements with networks and the ISOs to determine
whether due diligence procedures and controls are designed to ensure that ISOs are in
compliance with network rules.
5. Determine whether the bank obtains information from the ISO regarding due diligence on
its sub-ISO arrangements.
Transaction Testing
6. On the basis of the bank’s risk assessment of its privately owned ATM and ISO
relationships, as well as prior examination and audit reports, select a sample of privately
owned ATM accounts. From the sample selected, perform the following examination
procedures:
Review the bank’s CDD information. Determine whether the information adequately
verifies the ISO’s identity and describes its:
• Background.
• Source of funds.
• Anticipated activity or transaction types and levels (e.g., funds transfers).
• ATMs (size and location).
• Currency delivery arrangement, if applicable.
Review any MIS reports the bank uses to monitor ISO accounts. Determine whether the
flow of funds or expected activity is consistent with the CDD information.
Networking Arrangements
Banks typically enter into networking arrangements with securities broker/dealers to offer
NDIP on bank premises. For BSA/AML purposes, under a networking arrangement, the
customer is a customer of the broker/dealer, although the customer may also be a bank
customer for other financial services. Bank examiners recognize that the U.S. Securities and
Exchange Commission (SEC) is the primary regulator for NDIP offerings through
broker/dealers, and the agencies observe functional supervision requirements of the Gramm–
Leach–Bliley Act.66 Federal banking agencies are responsible for supervising NDIP activity
conducted directly by the bank. Different types of networking arrangements may include co-
branded products, dual-employee arrangements, or third-party arrangements.
Co-Branded Products
Co-branded products are offered by another company or financial services corporation67 in
co-sponsorship with the bank. For example, a financial services corporation tailors a mutual
fund product for sale at a specific bank. The product is sold exclusively at that bank and
bears the name of both the bank and the financial services corporation.
Because of this co-branded relationship, responsibility for BSA/AML compliance becomes
complex. As these accounts are not under the sole control of the bank or financial entity,
responsibilities for completing CIP, CDD, and suspicious activity monitoring and reporting
can vary. The bank should fully understand each party’s contractual responsibilities and
ensure adequate control by all parties.
66
Functional regulation limits the circumstances in which the federal banking agencies can directly examine or
require reports from a bank affiliate or subsidiary whose primary regulator is the SEC, the U.S. Commodity
Futures Trading Commission, or state issuance authorities. Federal banking agencies are generally limited from
examining such an entity unless further information is needed to determine whether the banking affiliate or
subsidiary poses a material risk to the bank, to determine compliance with a legal requirement under the federal
banking agencies’ jurisdiction, or to assess the bank’s risk management system covering the functionally
regulated activities. These standards require greater reliance on the functional regulator and better cooperation
among regulators.
67
A financial services corporation includes those entities offering NDIP, which may include investment firms,
financial institutions, securities brokers/dealers, and insurance companies.
Dual-Employee Arrangements
In a dual-employee arrangement, the bank and the financial services corporation such as an
insurance agency or a registered broker/dealer have a common (shared) employee. The
shared employee may conduct banking business as well as sell NDIP, or sell NDIP full-time.
Because of this dual-employee arrangement, the bank retains responsibility over NDIP
activities. Even if contractual agreements establish the financial services corporation as
being responsible for BSA/AML, the bank needs to ensure proper oversight of its employees,
including dual employees, and their compliance with all regulatory requirements.68
Under some networking arrangements, registered securities sales representatives are dual
employees of the bank and the broker/dealer. When the dual employee is providing
investment products and services, the broker/dealer is responsible for monitoring the
registered representative’s compliance with applicable securities laws and regulations. When
the dual employee is providing bank products or services, the bank has the responsibility for
monitoring the employee’s performance and compliance with BSA/AML.
Third-Party Arrangements
Third-party arrangements may involve leasing the bank’s lobby space to a financial services
corporation to sell NDIPs. In this case, the third party must clearly differentiate itself from
the bank. If the arrangement is appropriately implemented, third-party arrangements do not
affect the BSA/AML compliance requirements of the bank. As a sound practice, the bank is
encouraged to ascertain if the financial services provider has an adequate BSA/AML
compliance program as part of its due diligence.
Risk Factors
BSA/AML risks arise because NDIP can involve complex legal arrangements, large dollar
amounts, and the rapid movement of funds. NDIP portfolios managed and controlled
directly by clients pose a greater money laundering risk than those managed by the bank or
68
If the bank uses the reliance provision under the CIP, responsibility for CIP shifts to the third-party provider.
Refer to core overview section, “Customer Identification Program,” page 52, for additional information.
69
In certain circumstances, a bank may not be considered a broker, and an employee need not register as a
broker/dealer. Refer to 15 USC 78c(a)(4) for a complete list.
by the financial services provider. Sophisticated clients may create ownership structures to
obscure the ultimate control and ownership of these investments. For example, customers
can retain a certain level of anonymity by creating Private Investment Companies (PIC),70
offshore trusts, or other investment entities that hide the customer’s ownership or beneficial
interest.
Risk Mitigation
Management should develop risk-based policies, procedures, and processes that enable the
bank to identify unusual account relationships and circumstances, questionable assets and
sources of funds, and other potential areas of risk (e.g., offshore accounts, agency accounts,
and unidentified beneficiaries). Management should be alert to situations that need
additional review or research.
Networking Arrangements
Before entering into a networking arrangement, banks should conduct an appropriate review
of the broker/dealer. The review should include an assessment of the broker/dealer’s
financial status, management experience, National Association of Securities Dealers (NASD)
status, reputation, and ability to fulfill its BSA/AML compliance responsibilities in regards to
the bank’s customers. Appropriate due diligence would include a determination that the
broker/dealer has adequate policies, procedures, and processes in place to enable the
broker/dealer to meet its legal obligations. The bank should maintain documentation on its
due diligence of the broker/dealer. Furthermore, detailed written contracts should address the
BSA/AML responsibilities, including suspicious activity monitoring and reporting, of the
broker/dealer and its registered representatives.
A bank may also want to mitigate risk exposure by limiting certain investment products
offered to its customers. Investment products such as PICs, offshore trusts, or offshore hedge
funds may involve international funds transfers or offer customers ways to obscure
ownership interests.
Bank management should make reasonable efforts to update due diligence information on the
broker/dealer. Such efforts may include a periodic review of information on the
broker/dealer’s compliance with its BSA/AML responsibilities, verification of the
broker/dealer’s record in meeting testing requirements, and a review of consumer complaints.
Bank management is also encouraged, when possible, to review BSA/AML reports generated
by the broker/dealer. This review could include information on account openings,
transactions, investment products sold, and suspicious activity monitoring and reporting.
70
Refer to expanded overview section, “Business Entities (Domestic and Foreign),” page 314, for additional
guidance on PICs.
Examination Procedures
Nondeposit Investment Products
Objective. Assess the adequacy of the bank’s systems to manage the risks associated with
both networking and in-house nondeposit investment products (NDIP), and management’s
ability to implement effective monitoring and reporting systems.
1. Review the policies, procedures, and processes related to NDIP. Evaluate the adequacy
of the policies, procedures, and processes given the bank’s NDIP activities and the risks
they present. Assess whether the controls are adequate to reasonably protect the bank
from money laundering and terrorist financing.
2. If applicable, review contractual arrangements with financial service providers.
Determine the BSA/AML compliance responsibility of each party. Determine whether
these arrangements provide for adequate BSA/AML oversight.
3. Determine from a review of MIS reports (e.g., exception reports, funds transfer reports,
and activity monitoring reports) and internal risk rating factors, whether the bank
effectively identifies and monitors NDIP, particularly those that pose a higher risk for
money laundering.
4. Determine how the bank includes NDIP sales activities in its bank-wide or, if applicable,
firm-wide BSA/AML aggregation systems.
5. Determine whether the bank’s system for monitoring NDIP and for reporting suspicious
activities is adequate given the bank’s size, complexity, location, and types of customer
relationships.
6. If appropriate, refer to the core examination procedures, “Office of Foreign Assets
Control,” page 152, for guidance.
Transaction Testing
If the bank or its majority-owned subsidiary is responsible for the sale or direct
monitoring of NDIP, then examiners should perform the following transaction testing
procedures on customer accounts established by the bank:
7. On the basis of the bank’s risk assessment of its NDIP activities, as well as prior
examination and audit reports, select a sample of higher-risk NDIP. From the sample
selected, perform the following examination procedures:
Insurance — Overview
Objective. Assess the adequacy of the bank’s systems to manage the risks associated with
the sale of covered insurance products, and management’s ability to implement effective
monitoring and reporting systems.
Banks engage in insurance sales to increase their profitability, mainly through expanding and
diversifying fee-based income. Insurance products are typically sold to bank customers
through networking arrangements with an affiliate, an operating subsidiary, or other third-
party insurance providers. Banks are also interested in providing cross-selling opportunities
for customers by expanding the insurance products they offer. Typically, banks take a role as
a third-party agent selling covered insurance products. The types of insurance products sold
may include life, health, property and casualty, and fixed or variable annuities.
• A permanent life insurance policy, other than a group life insurance policy.
• Any annuity contract, other than a group annuity contract.
• Any other insurance product with features of cash value or investment.
When an insurance agent or broker already is required to establish a BSA/AML compliance
program under a separate requirement under BSA regulations (e.g., bank or securities broker
requirements), the insurance company generally may rely on that compliance program to
address issues at the time of sale of the covered product.72 However, the bank may need to
establish specific policies, procedures, and processes for its insurance sales in order to submit
information to the insurance company for the insurance company’s AML compliance.
Likewise, if a bank, as an agent of the insurance company, detects unusual or suspicious
activity relating to insurance sales, it can file a joint SAR on the common activity with the
insurance company.73
71
31 CFR 1025.100 and 31 CFR 1025.320.
72
70 Fed. Reg. 66758 (November 3, 2005). Also refer to FFIEC Guidance Frequently Asked Question,
Customer Identification Programs and Banks Serving as Insurance Agents, FIN-2006, December 12, 2006.
73
FinCEN has issued a Frequently Asked Questions document, Anti-Money Laundering Program and
Suspicious Activity Reporting Requirements for Insurance Companies. Unless the SAR accommodates multiple
In April 2008, FinCEN published a strategic analytical report that provides information
regarding certain money laundering trends, patterns, and typologies in connection with
insurance products. Refer to Insurance Industry Suspicious Activity Reporting: An
Assessment of Suspicious Activity Report Filings on the FinCEN Web site.
Risk Factors
Insurance products can be used to facilitate money laundering. For example, currency can be
used to purchase one or more life insurance policies, which may subsequently be quickly
canceled by a policyholder (also known as “early surrender”) for a penalty. The insurance
company refunds the money to the purchaser in the form of a check. Insurance policies
without cash value or investment features are lower risk, but can be used to launder money or
finance terrorism through the submission by a policyholder of inflated or false claims to its
insurance carrier, which if paid, would enable the insured to recover a part or all of the
originally invested payments. Other ways insurance products can be used to launder money
include:
• Borrowing against the cash surrender value of permanent life insurance policies.
• Selling units in investment-linked products (such as annuities).
• Using insurance proceeds from an early policy surrender to purchase other financial
assets.
• Buying policies that allow the transfer of beneficial interests without the knowledge and
consent of the issuer (e.g., secondhand endowment and bearer insurance policies).74
• Purchasing insurance products through unusual methods such as currency or currency
equivalents.
• Buying products with insurance termination features without concern for the product’s
investment performance.
Risk Mitigation
To mitigate money laundering risks, the bank should adopt policies, procedures, and
processes that include:
filers, only one institution is identified as the filer in the “Filer Identification” section of the SAR. In these
cases, the narrative must include the words “joint filing” and identify the other institutions on whose behalf the
report is filed.
74
Refer to the International Association of Insurance Supervisors’ Guidance Paper on Anti-Money Laundering
and Combating the Financing of Terrorism, October 2004.
• Monitoring, including the review of early policy terminations and the reporting of
unusual and suspicious transactions (e.g., a single, large premium payment, a customer’s
purchase of a product that appears to fall outside the customer’s normal range of financial
transactions, early redemptions, multiple transactions, payments to apparently unrelated
third parties, and collateralized loans).
• Recordkeeping requirements.
Examination Procedures
Insurance
Objective. Assess the adequacy of the bank’s systems to manage the risks associated with
the sale of covered insurance products, and management’s ability to implement effective
monitoring and reporting systems.
1. Review the policies, procedures, and processes related to insurance sales. Evaluate the
adequacy of the policies, procedures, and processes given the bank’s insurance sales
activities, its role in insurance sales, and the risks the insurance sales present. Assess
whether the controls are adequate to reasonably protect the bank from money laundering
and terrorist financing.
2. Review the contracts and agreements for the bank’s networking arrangements with
affiliates, operating subsidiaries, or other third-party insurance providers conducting sales
activities on bank premises on behalf of the bank.
3. Depending on the bank’s responsibilities as set forth in the contracts and agreements,
review MIS reports (e.g., large transaction reports, single premium payments, early
policy cancellation records, premium overpayments, and assignments of claims) and
internal risk rating factors. Determine whether the bank effectively identifies and
monitors covered insurance product sales.
4. Depending on the bank’s responsibilities as set forth in the contracts and agreements,
determine whether the bank’s system for monitoring covered insurance products for
suspicious activities, and for reporting suspicious activities, is adequate given the bank’s
size, complexity, location, and types of customer relationships.
5. If appropriate, refer to the core examination procedures, “Office of Foreign Assets
Control,” page 152, for guidance.
Transaction Testing
If the bank or its majority-owned subsidiary is responsible for the sale or direct
monitoring of insurance, then examiners should perform the following transaction testing
procedures.
6. On the basis of the bank’s risk assessment of its insurance sales activities, as well as prior
examination and audit reports, select a sample of covered insurance products. From the
sample selected, perform the following examination procedures:
Risk Factors
Money laundering risk can arise in concentration accounts if the customer-identifying
information, such as name, transaction amount, and account number, is separated from the
financial transaction. If separation occurs, the audit trail is lost, and accounts may be
misused or administered improperly. Banks that use concentration accounts should
implement adequate policies, procedures, and processes covering the operation and record
keeping for these accounts. Policies should establish guidelines to identify, measure,
monitor, and control the risks.
Risk Mitigation
Because of the risks involved, management should be familiar with the nature of their
customers’ business and with the transactions flowing through the bank’s concentration
accounts. Additionally, the monitoring of concentration account transactions is necessary to
identify and report unusual or suspicious transactions.
Internal controls are necessary to ensure that processed transactions include the identifying
customer information. Retaining complete information is crucial for compliance with
regulatory requirements as well as ensuring adequate transaction monitoring. Adequate
internal controls may include:
Examination Procedures
Concentration Accounts
Objective. Assess the adequacy of the bank’s systems to manage the risks associated with
concentration accounts, and management’s ability to implement effective monitoring and
reporting systems.
1. Review the policies, procedures, and processes related to concentration accounts.
Evaluate the adequacy of the policies, procedures, and processes in relation to the bank’s
concentration account activities and the risks they represent. Assess whether the controls
are adequate to reasonably protect the bank from money laundering and terrorist
financing.
2. From a review of MIS and internal risk rating factors, determine whether the bank
effectively identifies and monitors concentration accounts.
3. Review the general ledger and identify any concentration accounts. After discussing
concentration accounts with management and conducting any additional research needed,
obtain and review a list of all concentration accounts and the bank’s most recent
reconcilements.
4. Determine whether the bank’s system for monitoring concentration accounts for
suspicious activities, and for reporting of suspicious activities, is adequate given the
bank’s size, complexity, location, and types of customer relationships.
5. If appropriate, refer to the core examination procedures, “Office of Foreign Assets
Control,” page 152, for guidance.
Transaction Testing
6. On the basis of the bank’s risk assessment of its concentration accounts, as well as prior
examination and audit reports, select a sample of concentration accounts. From the
sample selected, perform the following examination procedures:
Risk Factors
The involvement of multiple parties may increase the risk of money laundering or terrorist
financing when the source and use of the funds are not transparent. This lack of transparency
can create opportunities in any of the three stages of money laundering or terrorist financing
schemes. These schemes could include the following:
75
FinCEN has published strategic analytical reports on trends and patterns relating to mortgage loan fraud as
well as money laundering through commercial and residential real estate.
76
Refer to the expanded overview section, “Trade Finance Activities,” page 267, for additional guidance.
Examination Procedures
Lending Activities
Objective. Assess the adequacy of the bank’s systems to manage the risks associated with
lending activities, and management’s ability to implement effective due diligence,
monitoring, and reporting systems.
1. Review the policies, procedures, and processes related to lending activities. Evaluate the
adequacy of the policies, procedures, and processes given the bank’s lending activities
and the risks they present. Assess whether the controls are adequate to reasonably protect
the bank from money laundering and terrorist financing.
2. From a review of MIS and internal risk rating factors, determine whether the bank
effectively identifies and monitors higher-risk loan accounts.
3. Determine whether the bank’s system for monitoring loan accounts for suspicious
activities and for reporting of suspicious activities, is adequate given the bank’s size,
complexity, location, and types of customer relationships.
4. If appropriate, refer to the core examination procedures, “Office of Foreign Assets
Control,” page 152, for guidance.
Transaction Testing
5. On the basis of the bank’s risk assessment of its lending activities, as well as prior
examination and audit reports, select a sample of higher-risk loan accounts. From the
sample selected, perform the following examination procedures:
• Review account opening documentation, including CIP, to ensure that adequate due
diligence has been performed and that appropriate records are maintained.
• Review, as necessary, loan history.
• Compare expected transactions with actual activity.
• Determine whether actual activity is consistent with the nature of the customer’s
business and the stated purpose of the loan. Identify any unusual or suspicious
activity.
6. On the basis of examination procedures completed, including transaction testing, form a
conclusion about the adequacy of policies, procedures, and processes associated with
lending relationships.
• Applicant. The buyer or party who requests the issuance of a letter of credit.
• Issuing Bank. The bank that issues the letter of credit on behalf of the Applicant and
advises it to the Beneficiary either directly or through an Advising Bank. The Applicant
is the Issuing Bank’s customer.
• Confirming Bank. Typically in the home country of the Beneficiary, at the request of
the Issuing Bank, the bank that adds its commitment to honor draws made by the
Beneficiary, provided the terms and conditions of the letter of credit are met.
• Advising Bank. The bank that advises the credit at the request of the Issuing Bank. The
Issuing Bank sends the original credit to the Advising Bank for forwarding to the
Beneficiary. The Advising Bank authenticates the credit and advises it to the
Beneficiary. There may be more than one Advising Bank in a letter of credit transaction.
The Advising Bank may also be a Confirming Bank.
• Beneficiary. The seller or party to whom the letter of credit is addressed.
• Negotiation. The purchase by the nominated bank of drafts (drawn on a bank other than
the nominated bank) or documents under a complying presentation, by advancing or
agreeing to advance funds to the beneficiary on or before the banking day on which
reimbursement is due to the nominated bank.
• Nominated Bank. The bank with which the credit is available or any bank in the case of
a credit available with any bank.
• Accepting Bank. The bank that accepts a draft, providing a draft is called for by the
credit. Drafts are drawn on the Accepting Bank that dates and signs the instrument.
• Discounting Bank. The bank that discounts a draft for the Beneficiary after it has been
accepted by an Accepting Bank. The Discounting Bank is often the Accepting Bank.
• Reimbursing Bank. The bank authorized by the Issuing Bank to reimburse the Paying
Bank submitting claims under the letter of credit.
• Paying Bank. The bank that makes payment to the Beneficiary of the letter of credit.
As an example, in a letter of credit arrangement, a bank can serve as the Issuing Bank,
allowing its customer (the buyer) to purchase goods locally or internationally, or the bank
can act as an Advising Bank, enabling its customer (the exporter) to sell its goods locally or
internationally. The relationship between any two banks may vary and could include any of
the roles listed above.
Risk Factors
The international trade system is subject to a wide range of risks and vulnerabilities that
provide criminal organizations with the opportunity to launder the proceeds of crime and
move funds to terrorist organizations with a relatively low risk of detection. The involvement
of multiple parties on both sides of any international trade transaction can make the process
of due diligence more difficult. Also, because trade finance can be more document-based
than other banking activities, it can be susceptible to documentary fraud, which can be linked
to money laundering, terrorist financing, or the circumvention of OFAC sanctions or other
restrictions (such as export prohibitions, licensing requirements, or controls).
While banks should be alert to transactions involving higher-risk goods (e.g., trade in
weapons or nuclear equipment), they need to be aware that goods may be over- or under-
valued in an effort to evade anti-money laundering or customs regulations, or to move funds
or value across national borders. For example, an importer may pay a large sum of money
from the proceeds of an illegal activity for goods that are essentially worthless and are
subsequently discarded. Alternatively, trade documents, such as invoices, may be
fraudulently altered to hide the scheme. Variations on this theme include inaccurate or
double invoicing, partial shipment of goods (short shipping), and the use of fictitious goods.
Illegal proceeds transferred in such transactions thereby appear sanitized and enter the realm
of legitimate commerce. Moreover, many suspect trade finance transactions also involve
collusion between buyers and sellers.
The Applicant’s true identity or ownership may be disguised by the use of certain corporate
forms, such as shell companies or offshore front companies. The use of these types of
entities results in a lack of transparency, effectively hiding the identity of the purchasing
party, and thus increasing the risk of money laundering and terrorist financing.
Risk Mitigation
Sound CDD procedures are needed to gain a thorough understanding of the customer’s
underlying business and locations served. The banks in the letter of credit process need to
undertake varying degrees of due diligence depending upon their role in the transaction. For
example, Issuing Banks should conduct sufficient due diligence on a prospective customer
before establishing the letter of credit. The due diligence should include gathering sufficient
information on Applicants and Beneficiaries, including their identities, nature of business,
and sources of funding. This may require the use of background checks or investigations,
particularly in higher-risk jurisdictions. As such, banks should conduct a thorough review
and reasonably know their customers prior to facilitating trade-related activity and should
have a thorough understanding of trade finance documentation. Refer to the core overview
section, “Customer Due Diligence,” page 56, for additional guidance.
Likewise, guidance provided by the Financial Action Task Force on Money Laundering
(FATF) has helped set important industry standards and is a resource for banks that provide
trade finance services.77 The Wolfsberg Group also has published suggested industry
standards and guidance for banks that provide trade finance services.78
Banks taking other roles in the letter of credit process should complete due diligence that is
commensurate with their roles in each transaction. Banks need to be aware that because of
the frequency of transactions in which multiple banks are involved, Issuing Banks may not
always have correspondent relationships with the Advising or Confirming Bank.
To the extent feasible, banks should review documentation, not only for compliance with the
terms of the letter of credit, but also for anomalies or red flags that could indicate unusual or
suspicious activity. Reliable documentation is critical in identifying potentially suspicious
activity. When analyzing trade transactions for unusual or suspicious activity, banks should
consider obtaining copies of official U.S. or foreign government import and export forms to
assess the reliability of documentation provided.79 These anomalies could appear in shipping
documentation, obvious under- or over-invoicing, government licenses (when required), or
discrepancies in the description of goods on various documents. Identification of these
elements may not, in itself, require the filing of a SAR, but may suggest the need for further
research and verification. In circumstances where a SAR is warranted, the bank is not
expected to stop trade or discontinue processing the transaction. However, stopping the trade
may be required to avoid a potential violation of an OFAC sanction.
Trade finance transactions frequently use Society for Worldwide Interbank Financial
Telecommunication (SWIFT) messages. U.S. banks must comply with OFAC regulations,
and when necessary, licensing in advance of funding. Banks should monitor the names of
the parties contained in these messages and compare the names against OFAC lists. Refer to
77
Refer to the Financial Action Task Force’s report on Trade Based Money Laundering, June 23, 2006 and the
Asia Pacific Group Typology Report on Trade Base Money Laundering, July 20, 2012.
78
Refer to The Wolfsberg Trade Finance Principles, 2011.
79
For instance, refer to U.S. Customs and Border Protection Form 7501 (Entry Summary) and U.S. Department
of Commerce Form 7525-V (Shipper’s Export Declaration) classify all U.S. imports and exports by 10-digit
harmonized codes.
overview section, “Office of Foreign Assets Control,” page 142, for guidance. Banks with a
high volume of SWIFT messages should determine whether their monitoring efforts are
adequate to detect suspicious activity, particularly if the monitoring mechanism is not
automated. Refer to core overview section “Suspicious Activity Reporting,” page 60, and
expanded overview section, “Funds Transfers,” pages 207, for additional guidance.
Policies, procedures, and processes should also require a thorough review of all applicable
trade documentation (e.g., customs declarations, trade documents, invoices, etc.) to enable
the bank to monitor and report unusual and suspicious activity, based on the role played by
the bank in the letter of credit process. The sophistication of the documentation review
process and MIS should be commensurate with the size and complexity of the bank’s trade
finance portfolio and its role in the letter of credit process. In addition to OFAC filtering, the
monitoring process should give greater scrutiny to:
• Items shipped that are inconsistent with the nature of the customer’s business (e.g., a steel
company that starts dealing in paper products, or an information technology company
that starts dealing in bulk pharmaceuticals).
• Customers conducting business in higher-risk jurisdictions.
• Customers shipping items through higher-risk jurisdictions, including transit through
noncooperative countries.
• Customers involved in potentially higher-risk activities, including activities that may be
subject to export/import restrictions (e.g., equipment for military or police organizations
of foreign governments, weapons, ammunition, chemical mixtures, classified defense
articles, sensitive technical data, nuclear materials, precious gems, or certain natural
resources such as metals, ore, and crude oil).
• Obvious over- or under-pricing of goods and services.
• Obvious misrepresentation of quantity or type of goods imported or exported.
• Transaction structures that appear unnecessarily complex and designed to obscure the
true nature of the transaction.
• Customer directs payment of proceeds to an unrelated third party.
• Shipment locations or description of goods not consistent with letter of credit.
• Significantly amended letters of credit without reasonable justification or changes to the
beneficiary or location of payment. Any changes in the names of parties also should
prompt additional OFAC review.
On February 18, 2010, FinCEN issued an advisory to inform and assist the financial industry
in reporting instances of suspected trade-based money laundering (TBML)80. The advisory
contains examples of “red flags” based on activity reported in SARs that FinCEN and law
enforcement believe may indicate trade-based money laundering. In order to assist law
80
Advisory to Financial Institutions on Filing Suspicious Activity Reports regarding Trade Based-Money
Laundering, FIN-2010-A001, February 18, 2010.
enforcement in its effort to target TBML and black market peso exchange (BMPE) activities,
FinCEN requested in the advisory that financial institutions check the appropriate box in Part
II, Suspicious Activity Information section of the SAR and include the abbreviation TBML
or BMPE in the narrative section of the SAR. The advisory can be found on the FinCEN
Web site.
Unless customer behavior or transaction documentation appears unusual, the bank should not
be expected to spend undue time or effort reviewing all information. The examples above,
particularly for an Issuing Bank, may be included as part of its routine CDD process. Banks
with robust CDD programs may find that less focus is needed on individual transactions as a
result of their comprehensive knowledge of the customer’s activities.
Examination Procedures
Trade Finance Activities
Objective. Assess the adequacy of the bank’s systems to manage the risks associated with
trade finance activities, and management’s ability to implement effective due diligence,
monitoring, and reporting systems.
1. Review the policies, procedures, and processes related to trade finance activities.
Evaluate the adequacy of the policies, procedures, and processes governing trade finance-
related activities and the risks they present. Assess whether the controls are adequate to
reasonably protect the bank from money laundering and terrorist financing.
2. Evaluate the adequacy of the due diligence information the bank obtains for the
customer’s files. Determine whether the bank has processes in place for obtaining
information at account opening, in addition to ensuring current customer information is
maintained.
3. From a review of MIS and internal risk rating factors, determine whether the bank
effectively identifies and monitors the trade finance portfolio for suspicious or unusual
activities, particularly those that pose a higher risk for money laundering.
4. Determine whether the bank’s system for monitoring trade finance activities for
suspicious activities, and for reporting of suspicious activities, is adequate, given the
bank’s size, complexity, location, and types of customer relationships.
5. If appropriate, refer to the core examination procedures, “Office of Foreign Assets
Control,” page 152, for guidance.
Transaction Testing
6. On the basis of the bank’s risk assessment of its trade finance portfolio, as well as prior
examination and audit reports, select a sample of trade finance accounts. From the
sample selected, review customer due diligence documentation to determine whether the
information is commensurate with the customer’s risk. Identify any unusual or
suspicious activities.
7. Verify whether the bank monitors the trade finance portfolio for potential OFAC
violations and unusual transactional patterns and conducts and records the results of any
due diligence.
8. On the basis of examination procedures completed, including transaction testing, form a
conclusion about the adequacy of policies, procedures, and processes associated with
trade finance activities.
• Cash management (e.g., checking accounts, overdraft privileges, cash sweeps, and bill-
paying services).
• Funds transfers.
• Asset management (e.g., trust, investment advisory, investment management, and
custodial and brokerage services).81
• The facilitation of shell companies and offshore entities (e.g., Private Investment
Companies (PIC), international business corporations (IBC), and trusts).82
• Lending services (e.g., mortgage loans, credit cards, personal loans, and letters of credit).
• Financial planning services including tax and estate planning.
• Custody services.
• Other services as requested (e.g., mail services).
For additional guidance, refer to the expanded overview and examination procedures, “Trust and Asset
81
Risk Factors
Private banking services can be vulnerable to money laundering schemes, and past money
laundering prosecutions have demonstrated that vulnerability. The 1999 Permanent
Subcommittee on Investigations’ Report “Private Banking and Money Laundering: A Case
Study of Opportunities and Vulnerabilities”83 outlined, in part, the following vulnerabilities
to money laundering:
83
Refer to U.S. Senate, Committee on Governmental Affairs, Private Banking and Money Laundering: A Case
Study of Opportunities and Vulnerabilities
(frwebgate.access.gpo.gov/cgibin/getdoc.cgi?dbname=106_senate_hearings&docid=f:61699.pdf).
84
Refer to the expanded overview section, “Business Entities (Domestic and Foreign),” page 314, for additional
guidance.
• Nature of the customer’s wealth and the customer’s business. The source of the
customer’s wealth, the nature of the customer’s business, and the extent to which the
customer’s business history presents an increased risk for money laundering and terrorist
financing. This factor should be considered for private banking accounts opened for
PEPs.85
• Purpose and anticipated activity. The size, purpose, types of accounts, products, and
services involved in the relationship, and the anticipated activity of the account.
• Relationship. The nature and duration of the bank’s relationship (including relationships
with affiliates) with the private banking customer.
• Customer’s corporate structure. Type of corporate structure (e.g., IBCs, shell
companies (domestic or foreign), or PICs).
• Geographic location and jurisdiction. The geographic location of the private banking
customer’s domicile and business (domestic or foreign). The review should consider the
extent to which the relevant jurisdiction is internationally recognized as presenting a
greater risk for money laundering or, conversely, is considered to have robust AML
standards.
• Public information. Information known or reasonably available to the bank about the
private banking customer. The scope and depth of this review should depend on the
nature of this relationship and the risks involved.
Customer Due Diligence
CDD is essential when establishing any customer relationship and it is critical for private
banking clients.86 Banks should take reasonable steps to establish the identity of their private
banking clients and, as appropriate, the beneficial owners of accounts.87 Adequate due
diligence should vary based on the risk factors identified previously. Policies, procedures,
and processes should define acceptable CDD for different types of products (e.g., PICs),
services, and accountholders. As due diligence is an ongoing process, a bank should take
measures to ensure account profiles are current and monitoring should be risk-based. Banks
should consider whether risk profiles should be adjusted or suspicious activity reported when
the activity is inconsistent with the profile.
For purposes of the CIP, the bank is not required to search the private banking account to
verify the identities of beneficiaries, but instead is only required to verify the identity of the
85
Refer to the core overview section, “Private Banking Due Diligence Program (Non-U.S. Persons),” page 125,
and to the expanded overview section, “Politically Exposed Persons,” page 290, for additional guidance.
86
Due diligence policies, procedures, and processes are required for private banking accounts for non-U.S.
persons by section 312 of the USA PATRIOT Act. Refer to the core overview section, “Private Banking Due
Diligence Program (Non-U.S. Persons),” page 125, for additional guidance.
87
Guidance on Obtaining and Retaining Beneficial Ownership Information, was issued by FinCEN, Board of
Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union
Administration, Office of the Comptroller of the Currency, Office of Thrift Supervision, and Securities and
Exchange Commission, in consultation with the U.S. Commodity Futures Trading Commission, in May 2010.
The guidance consolidates existing regulatory expectations for obtaining beneficial ownership information for
certain accounts and customer relationships.
named accountholder. However, the CIP rule also provides that, based on the bank’s risk
assessment of a new account opened by a customer that is not an individual (e.g., private
banking accounts opened for a PIC), the bank may need “to obtain information about”
individuals with authority or control over such an account, including signatories, in order to
verify the customer’s identity88 and to determine whether the account is maintained for non-
U.S. persons.89
Before opening accounts, banks should collect the following information from the private
banking clients:
Convertible Shares
Certain jurisdictions also allow for registered shares to be converted to bearer shares. These
types of entities also carry the same type of risk as bearer shares, primarily centered on the
lack of transparency regarding the potential transfer of ownership or control of those shares.
Risk mitigation for relationships belonging to corporate entities with a convertibility option is
essentially the same as traditional bearer shares. Financial institutions should assess the risk
posed by these relationships and implement appropriate and ongoing beneficial ownership
88
31 CFR 1020.220(a)(2)(ii)(C).
89
Refer to the core examination procedures, “Private Banking Due Diligence Program (Non-U.S. Persons),”
page 130, for additional guidance.
Examination Procedures
Private Banking
Objective. Assess the adequacy of the bank’s systems to manage the risks associated with
private banking activities, and management’s ability to implement effective due diligence,
monitoring, and reporting systems. This section expands the core review of the statutory and
regulatory requirements of private banking in order to provide a broader assessment of the
AML risks associated with this activity.
1. Review the policies, procedures, and processes related to private banking activities.
Evaluate the adequacy of the policies, procedures, and processes given the bank’s private
banking activities and the risks they represent. Assess whether the controls are adequate
to reasonably protect the bank from money laundering and terrorist financing.
2. From a review of MIS reports (e.g., customer aggregation, policy exception and missing
documentation, customer risk classification, unusual accounts activity, and client
concentrations) and internal risk rating factors, determine whether the bank effectively
identifies and monitors private banking relationships, particularly those that pose a higher
risk for money laundering.
3. Determine whether the bank’s system for monitoring private banking relationships for
suspicious activities, and for reporting of suspicious activities, is adequate given the
bank’s size, complexity, location, and types of customer relationships.
4. Review the private banking compensation program. Determine whether it includes
qualitative measures that are provided to employees to comply with account opening and
suspicious activity monitoring and reporting requirements.
5. Review the monitoring program the bank uses to oversee the private banking relationship
manager’s personal financial condition and to detect any inappropriate activities.
6. If appropriate, refer to the core examination procedures, “Office of Foreign Assets
Control,” page 152, for guidance.
Transaction Testing
7. On the basis of the bank’s risk assessment of its private banking activities, as well as
prior examination and audit reports, select a sample of private banking accounts. The
sample should include the following types of accounts:
90
Asset management accounts can be trust or agency accounts and are managed by the bank.
91
The Office of the Comptroller of the Currency uses the broader term “fiduciary capacity” instead of “trust.”
Fiduciary capacity includes a trustee, an executor, an administrator, a registrar of stocks and bonds, a transfer
agent, a guardian, an assignee, a receiver, or a custodian under a uniform gifts to minors act; an investment
adviser, if the bank receives a fee for its investment advice; and any capacity in which the bank possesses
investment discretion on behalf of another (12 CFR 9.2(e) and 12 CFR 550.30).
92
For purposes of national banks and savings associations, certain investment management activities, such as
providing investment advice for a fee, are “fiduciary” in nature.
93
Refer to the Interagency Interpretive Guidance on Customer Identification Program Requirements under
Section 326 of the USA PATRIOT Act, August 28, 2005.
exercising options to purchase securities, or repaying a loan, in accordance with the terms of
the plan. For employee benefit plan accounts that are not subject to ERISA such as
employee benefit plan accounts established by government entities, the bank’s customer is
the employer that contracts with the bank to establish the account. By contrast, where an
individual opens an individual retirement account in a bank, the individual who opens the
account is the bank's "customer."
For purposes of the CIP, the bank is not required to search the trust, escrow, or similar
accounts to verify the identities of beneficiaries, but instead is only required to verify the
identity of the named accountholder (the trust). In the case of a trust account, the customer is
the trust whether or not the bank is the trustee for the trust. However, the CIP rule also
provides that, based on the bank’s risk assessment of a new account opened by a customer
that is not an individual, the bank may need “to obtain information about” individuals with
authority or control over such an account, including signatories, in order to verify the
customer’s identity.94 For example, in certain circumstances involving revocable trusts, the
bank may need to gather information about the settlor, grantor, trustee, or other persons with
the authority to direct the trustee, and who thus have authority or control over the account, in
order to establish the true identity of the customer.
In the case of an escrow account, if a bank establishes an account in the name of a third
party, such as a real estate agent, who is acting as escrow agent, then the bank’s customer is
the escrow agent. If the bank is the escrow agent, then the person who establishes the
account is the bank’s customer. For example, if the purchaser of real estate directly opens an
escrow account and deposits funds to be paid to the seller upon satisfaction of specified
conditions, the bank’s customer is the purchaser. Further, if a company in formation
establishes an escrow account for investors to deposit their subscriptions pending receipt of a
required minimum amount, the bank’s customer is the company in formation (or if not yet a
legal entity, the person opening the account on its behalf). However, the CIP rule also
provides that, based on the bank’s risk assessment of a new account opened by a customer
that is not an individual, the bank may need “to obtain information about” individuals with
authority or control over such an account, including signatories, in order to verify the
customer’s identity.95
Risk Factors
Trust and asset management accounts, including agency relationships, present BSA/AML
concerns similar to those of deposit taking, lending, and other traditional banking activities.
Concerns are primarily due to the unique relationship structures involved when the bank
handles trust and agency activities, such as:
94
Refer to 31 CFR 1020.220(a)(2(ii)(C).
95
Id.
Risk Mitigation
Management should develop policies, procedures, and processes that enable the bank to
identify unusual account relationships and circumstances, questionable assets and sources of
assets, and other potential areas of risk (e.g., offshore accounts, PICs, asset protection trusts
(APT),97 agency accounts, and unidentified beneficiaries). While the majority of traditional
trust and asset management accounts do not need EDD, management should be alert to those
situations that need additional review or research.
96
For additional guidance on PICs, refer to the expanded overview section, “Business Entities (Domestic and
Foreign),” page 314.
97
APTs are a special form of irrevocable trust, usually created (settled) offshore for the principal purposes of
preserving and protecting part of one’s wealth against creditors. Title to the asset is transferred to a person
named as the trustee. APTs are generally tax neutral with the ultimate function of providing for the
beneficiaries.
98
Management and examiners should be aware that OFAC list-matching is not a BSA requirement. However,
because trust systems are typically separate and distinct from bank systems, verification of these checks on the
bank system is not sufficient to ensure that these checks are also completed in the trust and asset management
department. Moreover, OFAC’s position is that an account beneficiary has a future or contingent interest in
funds in an account and, consistent with a bank’s risk profile, beneficiaries should be screened to assure OFAC
compliance. Refer to the core overview section, “Office of Foreign Assets Control,” page 142, for additional
guidance.
and expanded overview section, “Politically Exposed Persons,” page 290, for additional
guidance.
For additional guidance, refer to the expanded overview section, “Nongovernmental Organizations and
99
Examination Procedures
Trust and Asset Management Services
Objective. Assess the adequacy of the bank’s policies, procedures, processes, and systems
to manage the risks associated with trust and asset management100 services, and
management’s ability to implement effective due diligence, monitoring, and reporting
systems.
If this is a standalone trust examination, refer to the core examination procedures, “Scoping
and Planning,” page 15, for comprehensive guidance on the BSA/AML examination scope.
In such instances, the trust examination may need to cover additional areas, including
training, the BSA compliance officer, independent review, and follow-up items.
1. Review the policies, procedures, and processes related to trust and asset management
services. Evaluate the adequacy of the policies, procedures, and processes given the
bank’s trust and asset management activities and the risks they present. Assess whether
the controls are adequate to reasonably protect the bank from money laundering and
terrorist financing.
2. Review the bank’s procedures for gathering additional identification information, when
necessary, about the settlor, grantor, trustee, or other persons with authority to direct a
trustee, and who thus have authority or control over the account, in order to establish a
true identity of the customer.
3. From a review of MIS and internal risk rating factors, determine whether the bank
effectively identifies and monitors trust and asset management relationships, particularly
those that pose a higher risk for money laundering.
4. Determine how the bank includes trust and asset management relationships in a bank-
wide or, if appropriate, firm-wide BSA/AML aggregation systems.
5. Determine whether the bank’s system for monitoring trust and asset management
relationships for suspicious activities, and for reporting of suspicious activities, is
adequate given the bank’s size, complexity, location, and types of customer relationships.
6. If appropriate, refer to the core examination procedures, “Office of Foreign Assets
Control,” page 152, for guidance.
Transaction Testing
7. On the basis of the bank’s risk assessment of its trust and asset management
relationships, as well as prior examination and audit reports, select a sample of higher-
risk trust and asset management services relationships. Include relationships with
grantors and co-trustees, if they have authority or control, as well as any higher-risk
assets such as private investment companies (PIC) or asset protection trusts. From the
sample selected, perform the following examination procedures:
100
Asset management accounts can be trust or agency accounts and are managed by the bank.
• Review account opening documentation, including the CIP, to ensure that adequate
due diligence has been performed and that appropriate records are maintained.
• Review account statements and, as necessary, specific transaction details. Compare
expected transactions with actual activity.
• Determine whether actual activity is consistent with the nature of the customer’s
business and the stated purpose of the account.
• Identify any unusual or suspicious activity.
8. On the basis of examination procedures completed, including transaction testing, form a
conclusion about the adequacy of policies, procedures, and processes associated with
trust and asset management relationships.
Risk Factors
Banks may find it more difficult to verify and authenticate an NRA accountholder’s
identification, source of funds, and source of wealth, which may result in BSA/AML risks.
The NRA’s home country may also heighten the account risk, depending on the secrecy laws
of that country. Because the NRA is expected to reside outside of the United States, funds
transfers or the use of foreign automated teller machines (ATM) may be more frequent. The
BSA/AML risk may be further heightened if the NRA is a politically exposed person (PEP).
Refer to the expanded examination procedures, “Politically Exposed Persons,” page 294, for
further information.
101
A foreign national is a resident alien if the individual is physically present in the United States for at least 31
days in the current calendar year and present 183 days or more based on counting: all days present during the
current year, plus one-third of the days present in the preceding year, plus one-sixth of the days present in the
second preceding year. Certain days of presence are disregarded, such as (i) days spent in the United States for
a medical condition that developed while the foreign national was present in the United States and unable to
leave, (ii) days regular commuters spend traveling to or from Canada or Mexico, (iii) a day of less than 24 hours
spent while in transit between two locations outside the United States., and (iv) days when the foreign national
was an exempt individual. The individual is considered a resident alien for federal income and employment tax
purposes from the first day of physical presence in the United States in the year that the test is satisfied. Refer
to the IRS Web site.
Risk Mitigation
Banks should establish policies, procedures, and processes that provide for sound due
diligence and verification practices, adequate risk assessment of NRA accounts, and ongoing
monitoring and reporting of unusual or suspicious activities. The following factors are to be
considered when determining the risk level of an NRA account:
102
Additional information can be found at www.irs.gov/formspubs. Also refer to IRS Bulletin 515 Withholding
of Tax on Nonresident Aliens and Foreign Entities.
Examination Procedures
Nonresident Aliens and Foreign Individuals
Objective. Assess the adequacy of the bank’s systems to manage the risks associated with
transactions involving accounts held by nonresident aliens (NRA) and foreign individuals,
and management’s ability to implement effective due diligence, monitoring, and reporting
systems.
1. Review the bank’s policies, procedures, and processes related to NRA and foreign
individual accounts. Evaluate the adequacy of the policies, procedures, and processes
given the bank’s nonresident alien and foreign individual activities and the risks they
represent. Assess whether the controls are adequate to reasonably protect the bank from
money laundering and terrorist financing.
2. From a review of MIS and internal risk rating factors, determine whether the bank
effectively identifies and monitors higher-risk NRA and foreign individual accounts.
3. Determine whether the bank’s system of monitoring NRA and foreign individual
accounts for suspicious activities, and for reporting of suspicious activities, is adequate
based on the complexity of the bank’s NRA and foreign individual relationships, the
types of products used by NRAs and foreign individuals, the home countries of the
NRAs, and the source of funds and wealth for NRAs and foreign individuals.
4. If appropriate, refer to core examination procedures, “Office of Foreign Assets Control,”
page 152, for further guidance.
Transaction Testing
5. On the basis of the bank’s risk assessment of its NRA and foreign individual accounts, as
well as prior examination and audit reports, select a sample of higher-risk NRA accounts.
Include the following risk factors:
• For W-8 accounts, verify that appropriate forms have been completed and updated, as
necessary. Review transaction activity and identify patterns that indicate U.S.
resident status or indicate other unusual and suspicious activity.
7. On the basis of examination procedures completed, including transaction testing, form a
conclusion about the adequacy of policies, procedures, and processes associated with
NRA accounts.
103
For purposes of 31 CFR 1010.620, a “private banking account” is an account (or any combination of
accounts) maintained at a bank that satisfies all three of the following criteria:
• Requires a minimum aggregate deposit of funds or other assets of not less than $1 million;
• Is established on behalf of or for the benefit of one or more non-U.S. persons who are direct or beneficial
owners of the account; and
• Is assigned to, or is administered by, in whole or in part, an officer, employee, or agent of a bank acting
as a liaison between the covered financial institution and the direct or beneficial owner of the account.
104
Guidance on Enhanced Scrutiny for Transactions that may Involve the Proceeds of Foreign Official
Corruption issued by the U.S. Treasury, Board of Governors of the Federal Reserve System, Federal Deposit
Insurance Corporation, Office of the Comptroller of the Currency, Office of Thrift Supervision, and the U.S.
Department of State, January 2001.
105
It is important to note that while government-owned corporations may present risks of their own, the
government-owned corporations themselves are not within the definition of a “senior foreign political figure.”
The definition of senior official or executive must remain sufficiently flexible to capture the
range of individuals who, by virtue of their office or position, potentially pose a risk that their
funds may be the proceeds of foreign corruption.106 Titles alone may not provide sufficient
information to determine if an individual is a PEP, because governments are organized
differently from jurisdiction to jurisdiction. In those cases when a bank files a SAR
concerning a transaction that may involve the proceeds of foreign corruption, FinCEN has
instructed banks to include the term “foreign corruption” in the narrative portion of the
SAR.107 Banks should establish risk-based controls and procedures that include reasonable
steps to ascertain the status of an individual as a PEP and to conduct risk-based scrutiny of
accounts held by these individuals. Risk varies depending on other factors, such as products
and services used and size or complexity of the account relationship. Banks also should
consider various factors when determining if an individual is a PEP including:
Risk Factors
In high-profile cases over the past few years, PEPs have used banks as conduits for their
illegal activities, including corruption, bribery, and money laundering. However, not all
PEPs present the same level of risk. This risk varies depending on numerous factors,
106
71 Fed. Reg. 495–515.
107
Refer to Guidance to Financial Institutions on Filing Suspicious Activity Reports regarding the Proceeds of
Foreign Corruption, FIN-2008-G005, April 17, 2008.
including the PEP’s geographic location, industry, or sector, position, and level or nature of
influence or authority. Risk may also vary depending on factors such as the purpose of the
account, the actual or anticipated activity, products and services used, and size or complexity
of the account relationship.
As a result of these factors, some PEPs may be lower risk and some may be higher risk for
foreign corruption or money laundering. Banks that conduct business with dishonest PEPs
face substantial reputational risk, additional regulatory scrutiny, and possible supervisory
action. Red flags regarding transactions that may be related to the proceeds of foreign
corruption are listed in the January 2001 interagency guidance. Banks also should be alert to
a PEP’s access to, and control or influence over, government or corporate accounts; the level
of involvement of intermediaries, vendors, shippers, and agents in the industry or sector in
which the PEP operates; and the improper use of corporate vehicles and other legal entities to
obscure ownership.
Risk Mitigation
Banks should exercise reasonable judgment in designing and implementing policies,
procedures, and processes regarding PEPs. Banks should obtain risk-based due diligence
information on PEPs and establish policies, procedures, and processes that provide for
appropriate scrutiny and monitoring. Having appropriate risk-based account opening
procedures for large-dollar or higher-risk products and services is critical. The opening of an
account is the prime opportunity for the bank to gather information for all customers,
including PEPs. Commensurate with the identified level of risk, due diligence procedures
should include, but are not necessarily limited to, the following:
• Identify the accountholder and beneficial owner, including the nominal and beneficial
owners of companies, trusts, partnerships, private investment companies, or other legal
entities that are accountholders.
• Seek information directly from the account holder and beneficial owner regarding
possible PEP status.
• Identify the accountholder’s and beneficial owner’s countr(ies) of residence and the level
of risk for corruption and money laundering associated with these jurisdictions.
• Obtain information regarding employment, including industry and sector and the level of
risk for corruption associated with the industries and sectors.
• Check references, as appropriate, to determine whether the account holder and beneficial
owner is or has been a PEP.
• Identify the account holder’s and beneficial owner’s source of wealth and funds.
• Obtain information on immediate family members or close associates either having
transaction authority over the account or benefiting from transactions conducted through
the account.
• Determine the purpose of the account and the expected volume and nature of account
activity.
• Make reasonable efforts to review public sources of information. These sources vary
depending on each situation; however, banks should check the accountholder and any
beneficial owners of legal entities against reasonably accessible public sources of
information (e.g., government databases, major news publications, commercial databases
and other databases available on the Internet, as appropriate).
PEP accounts are not limited to large or internationally focused banks. A PEP can open an
account at any bank, regardless of its size or location. Banks should have risk-based
procedures for identifying PEP accounts and assessing the degree of risks involved, which
will vary. Management should be involved in the decision to accept a PEP account. If
management determines after-the-fact that an account is a PEP account, it should evaluate the
risks and take appropriate steps. The bank should exercise additional, reasonable due
diligence with regard to such accounts. For example, the bank may increase reference
inquiries, obtain additional background information on the PEP from branches or
correspondents operating in the client’s home country, and make reasonable efforts to consult
publicly available information sources. Ongoing risk-based monitoring of PEP accounts is
critical to ensuring that the accounts are being used as anticipated. Refer to core overview
section, “Private Banking Due Diligence Program (Non-U.S. Persons),” page 125, for
expectations regarding private banking relationships with PEPs.
Examination Procedures
Politically Exposed Persons
Objective. Assess the adequacy of the bank’s systems to manage the risks associated with
senior foreign political figures, often referred to as “politically exposed persons” (PEP), and
management’s ability to implement effective risk-based due diligence, monitoring, and
reporting systems. If the relationship is a private banking account 108 refer to core overview
section, “Private Banking Due Diligence Program (Non-U.S. Persons,” page 125, for
guidance.
1. Review the risk-based policies, procedures, and processes related to PEPs. Evaluate the
adequacy of the policies, procedures, and processes given the bank’s PEP accounts and
the risks they present. Assess whether the risk-based controls are adequate to reasonably
protect the bank from being used as a conduit for money laundering, corruption, and
terrorist financing.
2. Review the procedures for opening PEP accounts. Identify management’s role in the
approval and ongoing risk-based monitoring of PEP accounts.
3. From a review of MIS and internal risk rating factors, determine whether the bank
effectively identifies and monitors PEP relationships, particularly those that pose a higher
risk for corruption, money laundering, and terrorist financing.
4. Determine whether the bank’s system for monitoring PEPs for suspicious activities, and
for reporting of suspicious activities, is adequate given the bank’s size, complexity,
location, and types of customer relationships.
5. If appropriate, refer to core examination procedures, “Office of Foreign Assets Control,”
page 152, for guidance.
Transaction Testing
6. On the basis of the bank’s risk assessment of its PEP relationships, as well as prior
examination and audit reports, select a sample of PEP accounts. From the sample
selected, perform the following examination procedures:
• Determine compliance with regulatory requirements and with the bank’s established
policies, procedures, and processes related to PEPs.
• Review transaction activity for accounts selected. If necessary, request and review
specific transactions.
108
For purposes of 31 CFR 1010.620, a “private banking account” is an account (or any combination of
accounts) maintained at a bank that satisfies all three of the following criteria:
• Requires a minimum aggregate deposit of funds or other assets of not less than $1 million;
• Is established on behalf of or for the benefit of one or more non-U.S. persons who are direct or beneficial
owners of the account; and
• Is assigned to, or is administered by, in whole or in part, an officer, employee, or agent of a bank acting
as a liaison between the covered financial institution and the direct or beneficial owner of the account.
• If the analysis of activity and customer due diligence information raises concerns,
hold discussions with bank management.
7. On the basis of examination procedures completed, including transaction testing, form a
conclusion about the adequacy of policies, procedures, and processes associated with
PEPs.
Risk Factors
To provide embassy, foreign consulate, and foreign mission services, a U.S. bank may need
to maintain a foreign correspondent relationship with the embassy’s, foreign consulate’s, or
foreign mission’s bank. Banks conducting business with foreign embassies, consulates, or
missions should assess and understand the potential risks of these accounts and should
develop appropriate policies, procedures, and processes. Embassy, foreign consulate, and
foreign mission accounts may pose a higher risk in the following circumstances:
110
Guidance on Accepting Accounts from Foreign Governments, Foreign Embassies and Foreign Political
Figures (June 15, 2004); Updated Guidance on Accepting Accounts from Foreign Embassies, Consulates and
Missions (March 24, 2011).
• Accounts are from countries that have been designated as higher risk.
• Substantial currency transactions take place in the accounts.
• Account activity is not consistent with the purpose of the account (e.g., pouch activity or
payable upon proper identification transactions) or account transactions are in unusual
amounts.
• Accounts directly fund personal expenses of foreign nationals, including but not limited
to expenses for college students.
• Official embassy business is conducted through personal accounts.
Risk Mitigation
Banks should obtain comprehensive due diligence information on embassy, foreign
consulate, and foreign mission account relationships. For private banking accounts for non-
U.S. persons specifically, banks must obtain due diligence information as required by 31
CFR 1010.620.111 The bank’s due diligence related to embassy, foreign consulate, and
foreign mission account relationships should be commensurate with the risk levels presented.
In addition, banks are expected to establish policies, procedures, and processes that provide
for greater scrutiny and monitoring of all embassy, foreign consulate, and foreign mission
account relationships. Management should fully understand the purpose of the account and
the expected volume and nature of account activity. Ongoing monitoring of these account
relationships is critical to ensuring that the account relationships are being used as
anticipated.
Banks may also mitigate risk by entering into a written agreement that clearly defines the
terms of use for the account(s), setting forth available services, acceptable transactions and
access limitations. Written agreements to provide ancillary services or accounts to embassy,
foreign consulate, and foreign mission personnel and their families may also assist in
mitigating the varying degrees of risk.
Similarly, the bank could offer limited purpose accounts, such as those used to facilitate
operational expense payments (e.g., payroll, rent and utilities, routine maintenance), which
are generally considered lower risk and allow the implementation of customary functions in
the United States. The type and volume of transactions should be commensurate with the
purpose of the limited access account. Account monitoring to ensure compliance with
account limitations and the terms of any service agreements is essential to mitigate risks
associated with these accounts.
For additional guidance, refer to the core section overview, “Private Banking Due Diligence Program (Non-
111
Examination Procedures
Embassy, Foreign Consulate, and Foreign Mission Accounts
Objective. Assess the adequacy of the bank’s systems to manage the risks associated with
transactions involving embassy, foreign consulate and foreign mission accounts, and
management’s ability to implement effective due diligence, monitoring, and reporting
systems.
1. Review the policies, procedures, and processes related to embassy, foreign consulate, and
foreign mission accounts. Evaluate the adequacy of the policies, procedures, and
processes given the bank’s embassy, foreign consulate, and foreign mission accounts and
the risks they present (e.g., number of accounts, volume of activity, and geographic
locations). Assess whether the controls are adequate to reasonably protect the bank from
money laundering and terrorist financing.
2. Identify senior management’s role in the approval and ongoing monitoring of embassy,
foreign consulate, and foreign mission accounts. Determine whether the board is aware
of these banking activities and whether it receives periodic reports on these activities.
3. From a review of MIS and internal risk rating factors, determine whether the bank
effectively identifies and monitors embassy, foreign consulate, and foreign mission
accounts, particularly those that pose a higher risk for money laundering.
4. Determine whether the bank’s system for monitoring embassy, foreign consulate, and
foreign mission accounts for suspicious activities, and for reporting of suspicious
activities, is adequate given the bank’s size, complexity, location, and types of customer
relationships.
5. If appropriate, refer to the core examination procedures, “Office of Foreign Assets
Control,” page 152, for guidance.
Transaction Testing
6. On the basis of the bank’s risk assessment of its embassy, foreign consulate, and foreign
mission accounts, as well as prior examination and audit reports, select a sample of
accounts. From the sample selected, perform the following examination procedures:
• Determine compliance with regulatory requirements and with the bank’s established
policies, procedures, and processes.
• Review the documentation authorizing the ambassador or the foreign consulate to
conduct banking in the United States.
• Review transaction activity for accounts selected. If necessary, request and review
specific transactions.
7. On the basis of examination procedures completed, including transaction testing, form a
conclusion about the adequacy of policies, procedures, and processes associated with
embassy, foreign consulate, and foreign mission accounts.
112
Refer to Appendix D (“Statutory Definition of Financial Institution”) for guidance.
113
MSBs include five distinct types of financial services providers and the U.S. Postal Service: (1) dealers in
foreign exchange ; (2) check cashers; (3) issuers or sellers of traveler’s checks or money orders, ; (4) providers
or sellers of prepaid access; and (5) money transmitters. FinCEN routinely publishes administrative letter
rulings that address inquiries regarding whether persons who engage in certain specific business activities are
MSBs.
114
77 Fed. Reg. 8148 (February 14, 2012) defines non-bank residential mortgage lenders and originators as
loan or finance companies for the purpose of requiring them to establish anti-money laundering programs and
report suspicious activity. FinCEN Guidance FIN-2012-R005, Compliance obligations of certain loan or
finance company subsidiaries of Federally regulated banks and other financial institutions (August 13, 2012),
confirms that when a subsidiary loan or finance company is obligated to comply with the AML and SAR
regulations that are applicable to its parent financial institution and is subject to examination by the parent
financial institution’s Federal functional regulator, the loan or finance company is deemed to comply with
FinCEN’s regulation.
115
Refer to 31 CFR Chapter X for specific regulatory requirements.
Risk Factors
NBFI industries are extremely diverse, ranging from large multi-national corporations to
small, independent businesses that offer financial services only as an ancillary component to
their primary business (e.g., grocery store that offers check cashing). The range of products
and services offered, and the customer bases served by NBFIs, are equally diverse. As a
result of this diversity, some NBFIs may be lower risk and some may be higher risk for
money laundering.
Banks that maintain account relationships with NBFIs may be exposed to a higher risk for
potential money laundering activities because many NBFIs:
116
Refer to Interagency Interpretive Guidance on Providing Banking Services to Money Services Businesses
Operating in the United States, April 26, 2005.
117
Refer to 31 CFR 1022.210 (requirement for MSBs to establish and maintain an anti-money laundering
program); 31 CFR 1022.310 (requirement for MSBs to file Currency Transaction Reports); 31 CFR 1022.320
(requirement for MSBs to file Suspicious Activity Reports, other than for check cashing); 31 CFR 1010.415
(requirement for MSBs that sell monetary instruments for currency to verify the identity of the customer and
create and maintain a record of each currency purchase between $3,000 and $10,000, inclusive); 31 CFR
1010.410(e) and (f) (rules applicable to certain transmittals of funds); and 1022.410 (additional recordkeeping
requirement for dealers in foreign exchange including the requirement to create and maintain a record of each
exchange of currency in excess of $1,000);1022.420 (additional recordkeeping requirements for providers or
sellers of prepaid access).
118
Refer to 31 CFR 1022.380. All MSBs must register with FinCEN (whether or not licensed as an MSB by
any state) except: a business that is an MSB solely because it serves as an agent of another MSB; a business that
is an MSB solely as a seller of prepaid access, ; the U.S. Postal Service; and agencies of the United States, of
any state, or of any political subdivision of any state. A business that acts as an agent for a principal or
principals engaged in MSB activities, and that does not on its own behalf perform any other services of a nature
or value that would cause it to qualify as an MSB, is not required to register with FinCEN. FinCEN has issued
guidance on MSB registration and de-registration. Refer to Registration and De-Registration of Money
Services Businesses, FIN-2006-G006, February 3, 2006.
Prepaid Access
FinCEN’s regulation for MSBs excluded certain prepaid access arrangements from the
definition of prepaid programs. Providers and sellers of prepaid access are not be considered
MSBs if they engage in prepaid arrangements excluded from the definition of a prepaid
program under 31 CFR 1010.100(ff)(4)(iii).119 The exclusions include arrangements that:
• Provide closed loop prepaid access to funds (e.g., such as store gift cards) in amounts not
to exceed $2,000 maximum value per device on any day.
• Provide prepaid access solely to funds provided by a government agency.
• Provide prepaid access to funds for pre-tax flexible spending for health and dependent
care, or from Health Reimbursement Arrangements for health care expenses.
There are two types of prepaid access arrangements that have a qualified exclusion:
• Open loop prepaid access that does not exceed $1,000 maximum value on any day.
• Prepaid access to employment benefits, incentives, wages or salaries (payroll).
These arrangements are not prepaid programs subject to BSA regulatory requirements unless
they can:
• Be used internationally.
• Allow transfers of value from person to person within the arrangement, or
• Be reloaded from a non-depository source.
If any one of these features is part of the arrangement, it is a covered prepaid program under
31 CFR 1010.100.
119
Frequently Asked Questions Final Rule-Definitions and Other Regulations Relating to Prepaid Access
(11/2/2011).
Regulatory Expectations
The following regulatory expectations apply to banks with MSB customers:
• The BSA does not require, and neither FinCEN nor the federal banking agencies expect,
banks to serve as the de facto regulator of any type of NBFI industry or individual NBFI
customer, including MSBs.
• While banks are expected to manage risk associated with all accounts, including MSB
accounts, banks are not be held responsible for the MSB’s BSA/AML program.
• Not all MSBs pose the same level of risk, and not all MSBs require the same level of due
diligence. Accordingly, if a bank’s assessment of the risks of a particular MSB
relationship indicates a lower risk of money laundering or other illicit activity, a bank is
not routinely expected to perform further due diligence (such as reviewing information
about an MSB’s BSA/AML program) beyond the minimum due diligence expectations.
Unless indicated by the risk assessment of the MSB, banks are not expected to routinely
review an MSB’s BSA/AML program.
MSB Risk Assessment
An effective risk assessment should be a composite of multiple factors, and depending upon
the circumstances, certain factors may be given more weight than others. The following
factors may be used to help identify the level of risk presented by each MSB customer:
should be commensurate with the level of risk assigned to the MSB customer, after
consideration of these factors. If a bank’s risk assessment indicates potential for a
heightened risk of money laundering or terrorist financing, the bank is expected to conduct
further due diligence in a manner commensurate with the heightened risk.
• MSB is registered with FinCEN and licensed with the appropriate state(s), if required.
• MSB confirms it is subject to examination for AML compliance by the IRS or the
state(s), if applicable.122
• MSB affirms the existence of a written BSA/AML program and provides the BSA
officer’s name and contact information.
• MSB has an established banking relationship and/or account activity consistent with
expectations.
• MSB is an established business with an operating history.
• MSB is a principal with one or a few agents, or is acting as an agent for one principal.
• MSB provides services only to local residents.
• Most of the MSB’s customers conduct routine transactions in low dollar amounts.
• The expected (lower-risk) transaction activity for the MSB’s business operations is
consistent with information obtained by bank at account opening. Examples include the
following:
– Check cashing activity is limited to payroll or government checks (any dollar
amount).
– Check cashing service is not offered for third-party or out-of-state checks.
• Money-transmitting activities are limited to domestic entities (e.g., domestic bill
payments) or limited to lower dollar amounts (domestic or international).
122
On December 9, 2008, FinCEN and the Internal Revenue Service released the Bank Secrecy Act/Anti-Money
Laundering Examination Manual for Money Services Businesses (MSB Exam Manual) which was developed in
collaboration with the Conference of State Bank Supervisors, the Money Transmitter Regulators Association,
and state agencies responsible for MSB regulation. Refer to the MSB Exam Manual.
123
31 CFR 1010.100(ff).
124
Refer to Interagency Interpretive Guidance on Providing Banking Services to Money Services Businesses
Operating in the United States, April 26, 2005.
125
Refer to 31 CFR 1020.100 (FinCEN); 12 CFR 21.21(Office of the Comptroller of the Currency); 12 CFR
208.63(b), 211.5(m), 211.24(j) (Board of Governors of the Federal Reserve System); 12 CFR 326.8(b)(2)
(Federal Deposit Insurance Corporation);; 12 CFR 748.2(b) (National Credit Union Administration).
sophistication of the particular MSB, banking organizations may pursue some or all of the
following actions as part of an appropriate EDD review:
• Review written agent management and termination practices for the MSB.
• Review written employee screening practices for the MSB.
FinCEN and the federal banking agencies do not expect banks to uniformly require any or all
of the actions identified above for all MSBs.
Examination Procedures
Nonbank Financial Institutions
Objective. Assess the adequacy of the bank’s systems to manage the risks associated with
accounts of nonbank financial institutions (NBFI), and management’s ability to implement
effective monitoring and reporting systems.
1. Determine the extent of the bank’s relationships with NBFIs and, for banks with
significant relationships with NBFIs, review the bank’s risk assessment of this activity.
2. Review the policies, procedures, and processes related to NBFI accounts. Evaluate the
adequacy of the policies, procedures, and processes given the bank’s NBFI activities and
the risks they represent. Assess whether the controls are adequate to reasonably protect
the bank from money laundering and terrorist financing.
3. From review of MIS and internal risk rating factors, determine whether the bank
effectively identifies and monitors NBFI accounts.
4. Determine whether the bank’s system for monitoring NBFI accounts for suspicious
activities, and for reporting of suspicious activities, is adequate given the nature of the
bank’s customer relationships.
126
Refer to 31 CFR 1020.100 (FinCEN); 12 CFR 21.21(Office of the Comptroller of the Currency); 12 CFR
208.63(b), 211.5(m), 211.24(j) (Board of Governors of the Federal Reserve System); 12 CFR 326.8(b)(2)
(Federal Deposit Insurance Corporation); 12 CFR 748.2(b) (National Credit Union Administration).
Transaction Testing
7. On a basis of the bank’s risk assessment of its NBFI accounts, as well as prior
examination and audit reports, select a sample of higher-risk NBFI accounts. From the
sample selected, perform the following examination procedures:
Risk Factors
In contrast to escrow accounts that are set up to serve individual clients, professional service
provider accounts allow for ongoing business transactions with multiple clients. Generally, a
bank has no direct relationship with or knowledge of the beneficial owners of these accounts,
who may be a constantly changing group of individuals and legal entities.
As with any account that presents third-party risk, the bank could be more vulnerable to
potential money laundering abuse. Some potential examples of abuse could include:
Risk Mitigation
When establishing and maintaining relationships with professional service providers, banks
should adequately assess account risk and monitor the relationship for suspicious or unusual
activity. At account opening, the bank should have an understanding of the intended use of
the account, including anticipated transaction volume, products and services used, and
geographic locations involved in the relationship. As indicated in the core overview section,
“Currency Transaction Reporting Exemptions,” page 86, professional service providers
cannot be exempted from currency transaction reporting requirements.
Examination Procedures
Professional Service Providers
Objective. Assess the adequacy of the bank’s systems to manage the risks associated with
professional service provider relationships, and management’s ability to implement effective
due diligence, monitoring, and reporting systems.
1. Review the policies, procedures, and processes related to professional service provider
relationships. Evaluate the adequacy of the policies, procedures, and processes given the
bank’s relationships with professional service providers and the risks these relationships
represent. Assess whether the controls are adequate to reasonably protect the bank from
money laundering and terrorist financing.
2. From a review of MIS and internal risk rating factors, determine whether the bank
effectively identifies and monitors professional service provider relationships. MIS
reports should include information about an entire relationship. For example, an interest
on lawyers’ trust account (IOLTA) may be in the name of the law firm instead of an
individual. However, the bank’s relationship report should include the law firm’s
account and the names and accounts of lawyers associated with the IOLTA.
3. Determine whether the bank’s system for monitoring professional service provider
relationship’s suspicious activities, and for reporting of suspicious activities, is adequate
given the bank’s size, complexity, location, and types of customer relationships.
4. If appropriate, refer to the core examination procedures, “Office of Foreign Assets
Control,” page 152, for guidance.
Transaction Testing
5. On the basis of the bank’s risk assessment of its relationships with professional service
providers, as well as prior examination and audit reports, select a sample of higher-risk
relationships. From the sample selected, perform the following examination procedures:
Risk Factors
Because NGOs can be used to obtain funds for charitable organizations, the flow of funds
both into and out of the NGO can be complex, making them susceptible to abuse by money
launderers and terrorists. The U.S. Treasury issued guidelines to assist charities in adopting
practices to reduce the risk of terrorist financing or abuse.127
Risk Mitigation
To assess the risk of NGO customers, a bank should conduct adequate due diligence on the
organization. In addition to required CIP information, due diligence for NGOs should focus
on other aspects of the organization, such as the following:
127
Refer to Anti-Terrorist Financing Guidelines: Voluntary Best Practices for U.S.-Based Charities, September
2006.
For accounts that bank management considers to be higher risk, stringent documentation,
verification, and transaction monitoring procedures should be established. NGO accounts
that are at higher risk for BSA/AML concerns include those operating or providing services
internationally, conducting unusual or suspicious activities, or lacking proper documentation.
EDD for these accounts should include:
Examination Procedures
Nongovernmental Organizations and Charities
Objective. Assess the adequacy of the bank’s systems to manage the risks associated with
accounts of nongovernmental organizations (NGO) and charities, and management’s ability
to implement effective due diligence, monitoring, and reporting systems.
1. Review the policies, procedures, and processes related to NGOs. Evaluate the adequacy
of the policies, procedures, and processes given the bank’s NGO accounts and the risks
they represent. Assess whether the controls are adequate to reasonably protect the bank
from money laundering and terrorist financing.
2. From a review of MIS and internal risk rating factors, determine whether the bank
effectively identifies and monitors higher-risk NGO accounts.
3. Determine whether the bank’s system for monitoring NGO accounts for suspicious
activities, and for reporting of suspicious activities, is adequate given the bank’s size,
complexity, location, and types of customer relationships.
4. If appropriate, refer to the core examination procedures, “Office of Foreign Assets
Control,” page 152, for guidance.
Transaction Testing
5. On the basis of the bank’s risk assessment, its NGO and charity accounts, as well as prior
examination and audit reports, select a sample of higher-risk NGO accounts. From the
sample selected, perform the following examination procedures:
128
The term “domestic” refers to entities formed or organized in the United States. These entities may have no
other connection to the United States, and ownership and management of the entities may reside abroad.
129
The term “shell company” generally refers to an entity without a physical presence in any country. FinCEN
has issued guidance alerting financial institutions to the potential risks associated with providing financial
services to shell companies and reminding them of the importance of managing those risks. Refer to Potential
Money Laundering Risks Related to Shell Companies, FIN-2006-G013, November 2006.
130
Refer to GAO’s Company Formations — Minimal Ownership Information is Collected and Available, GAO-
06-376, April 2006. For additional information, Refer to Failure to Identify Company Owners Impedes Law
Enforcement, Senate Hearing 109-845, held on November 14, 2006, and Tax Haven Abuses: The Enablers, The
Tools & Secrecy, Senate Hearing 109-797, held on August 1, 2006, (particularly the Joint Report of the
Majority and Minority Staffs of the Permanent Subcommittee on Investigations).
• Asset protection.
• Estate planning.
• Privacy and confidentiality.
• Reduction of tax liability.
Through an IBC, an individual is able to conduct the following:
Risk Factors
Money laundering and terrorist financing risks arise because business entities can hide the
true owner of assets or property derived from or associated with criminal activity.132 The
privacy and confidentiality surrounding some business entities may be exploited by
criminals, money launderers, and terrorists. Verifying the grantors and beneficial owner(s)
of some business entities may be extremely difficult, as the characteristics of these entities
shield the legal identity of the owner. Few public records disclose true ownership. Overall,
the lack of ownership transparency; minimal or no recordkeeping requirements, financial
disclosures, and supervision; and the range of permissible activities all increase money
laundering risk.
While business entities can be established in most international jurisdictions, many are
incorporated in OFCs that provide ownership privacy and impose few or no tax obligations.
To maintain anonymity, many business entities are formed with nominee directors,
officeholders, and shareholders. In certain jurisdictions, business entities can also be
131
Money Laundering Threat Assessment Working Group, U.S. Money Laundering Threat Assessment,
December 2005.
132
For a general discussion of the risk factors associated with the misuse of business entities, refer to the
Financial Action Task Force’s The Misuse of Corporate Vehicles, Including Trust and Company Service
Providers, October 13, 2006.
established using bearer shares; ownership records are not maintained, rather ownership is
based on physical possession of the stock certificates. Revocable trusts are another method
used to insulate the grantor and beneficial owner and can be designed to own and manage the
business entity, presenting significant barriers to law enforcement.
While the majority of U.S.-based shell companies serve legitimate purposes, some shell
companies have been used as conduits for money laundering, to hide overseas transactions,
or to layer domestic or foreign business entity structures.133 For example, regulators have
identified shell companies registered in the United States conducting suspicious transactions
with foreign-based counterparties. These transactions, primarily funds transfers circling in
and out of the U.S. banking system, evidenced no apparent business purpose. Domestic
business entities with bank-like names, but without regulatory authority to conduct banking,
should be particularly suspect.134
The following indicators of potentially suspicious activity may be commonly associated with
shell company activity:
133
Failure to Identify Company Owners Impedes Law Enforcement. Refer to Senate Hearing 109-845 held on
November 14, 2006.
134
The federal banking agencies notify banks and the public about entities engaged in unauthorized banking
activities, both offshore and domestic. These notifications can be found on the federal banking agencies’ Web
sites.
accounts, such as activity that has no business or apparent lawful purpose, funds transfer
activity to and from higher-risk jurisdictions, currency intensive transactions, and frequent
changes in the ownership or control of the nonpublic business entity.
Examination Procedures
Business Entities (Domestic and Foreign)
Objective. Assess the adequacy of the bank’s systems to manage the risks associated with
transactions involving domestic and foreign business entities, and management’s ability to
implement effective due diligence, monitoring, and reporting systems.
1. Review the bank’s policies, procedures, and processes related to business entities.
Evaluate the adequacy of the policies, procedures, and processes given the bank’s
transactions with business entities and the risks they present. Assess whether the controls
are adequate to reasonably protect the bank from money laundering and terrorist
financing.
2. Review the policies and processes for opening and monitoring accounts with business
entities. Determine whether the policies adequately assess the risk between different
account types.
3. Determine how the bank identifies and, as necessary, completes additional due diligence
on business entities. Assess the level of due diligence the bank performs when
conducting its risk assessment.
4. From a review of MIS and internal risk rating factors, determine whether the bank
effectively identifies and monitors higher-risk business entity accounts.
5. Determine whether the bank’s system for monitoring business entities for suspicious
activities, and for reporting of suspicious activities, is adequate given the activities
associated with business entities.
6. If appropriate, refer to the core examination procedures, “Office of Foreign Assets
Control,” page 152, for guidance.
Transaction Testing
7. On the basis of the bank’s risk assessment of its accounts with business entities, as well
as prior examination and audit reports, select a sample of these accounts. Include the
following risk factors:
• Convenience stores.
• Restaurants.
• Retail stores.
• Liquor stores.
• Cigarette distributors.
• Privately owned automated teller machines (ATM).
• Vending machine operators.
• Parking garages.
Risk Factors
Some businesses and entities may be misused by money launderers to legitimize their illicit
proceeds. For example, a criminal may own a cash-intensive business, such as a restaurant,
and use it to launder currency from illicit criminal activities. The restaurant’s currency
deposits with its bank do not, on the surface, appear unusual because the business is
legitimately a cash-generating entity. However, the volume of currency in a restaurant used
to launder money is most likely be higher in comparison with similar restaurants in the area.
The nature of cash-intensive businesses and the difficulty in identifying unusual activity may
cause these businesses to be considered higher risk.
Risk Mitigation
When establishing and maintaining relationships with cash-intensive businesses, banks
should establish policies, procedures, and processes to identify higher-risk relationships;
assess AML risks; complete due diligence at account opening and periodically throughout the
relationship; and include such relationships in appropriate monitoring for unusual or
suspicious activity. At the time of account opening, the bank should have an understanding
of the customer’s business operations; the intended use of the account; including anticipated
transaction volume, products, and services used; and the geographic locations involved in the
relationship.
When conducting a risk assessment of cash-intensive businesses, banks should direct their
resources to those accounts that pose the greatest risk of money laundering or terrorist
financing. The following factors may be used to identify the risks:
135
As discussed in the core overview section, “Currency Transaction Reporting Exemptions,” page 86, certain
entities are ineligible for currency transaction reporting exemptions as a non-listed business.
Examination Procedures
Cash-Intensive Businesses
Objective. Assess the adequacy of the bank’s systems to manage the risks associated with
cash-intensive businesses and entities, and management’s ability to implement effective due
diligence, monitoring, and reporting systems.
1. Review the policies, procedures, and processes related to cash-intensive businesses.
Evaluate the adequacy of policies, procedures, and processes given the bank’s cash-
intensive business activities in relation to the bank’s cash-intensive business customers
and the risks that they represent. Assess whether the controls are adequate to reasonably
protect the bank from money laundering and terrorist financing.
2. From a review of MIS and internal risk rating factors, determine whether the bank
effectively identifies and monitors cash-intensive businesses and entities.
3. Determine whether the bank’s system for monitoring cash-intensive businesses for
suspicious activities, and for reporting of suspicious activities, is adequate given the
bank’s size, complexity, location, and types of customer relationships.
4. If appropriate, refer to the core examination procedures, “Office of Foreign Assets
Control,” page 152, for guidance.
Transaction Testing
5. On the basis of the bank’s risk assessment of its cash-intensive business and entity
relationships, as well as prior examination and audit reports, select a sample of cash-
intensive businesses. As an alternative, identify branches in the bank’s highest-risk areas
or branches that ship/receive the most cash and request the largest sources and users of
cash at those locations. From the sample selected, perform the following examination
procedures: